Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
|buildstatus|_ |appveyor|_ |coverage|_
The ZODB browser allows you to inspect persistent objects stored in the ZODB, view their attributes and historical changes made to them.
.. warning::
ZODB is based on Python pickles, which are not secure -- they allow arbitrary command execution. Do not use zodbbrowser on databases from untrusted sources.
.. contents::
Install all the dependencies into the source tree with zc.buildout::
python bootstrap.py bin/buildout
Run bin/zodbbrowser specifying either a filename or a ZEO address ::
bin/zodbbrowser /path/to/Data.fs bin/zodbbrowser --zeo localhost:9080 bin/zodbbrowser --zeo /path/to/zeosock
If you don't have a spare Data.fs to test with, you can create a new empty one with just the barest Zope 3 scaffolding in it::
bin/zodbbrowser empty.fs --rw
Open http://localhost:8070 in a web browser. Note that there are no access controls; all other users on the local machine will be able to access the database contents.
Or you could try to use easy_install
or pip
. It may work or it may
not, depending on the current state of all the dependencies (buildout.cfg
hardcodes dependency version to a known-working-together state, called the
"Zope 3.4 Known Good Set", so buildout-based installs are safer) ::
easy_install zodbbrowser zodbbrowser /path/to/Data.fs
Run bin/zodbbrowser --help
to see a full and up-to-date list of
command-line options::
Usage: zodbbrowser [options] [FILENAME | --zeo ADDRESS]
Open a ZODB database and start a web-based browser app.
Options: -h, --help show this help message and exit --zeo=ADDRESS connect to ZEO server instead --listen=ADDRESS specify port (or host:port) to listen on --rw open the database read-write (allows creation of the standard Zope local utilities if missing)
If you don't want to see <persistent broken ...>
everywhere, make sure
your application objects are importable from the Python path. The easiest way
of doing that is adding zodbbrowser to your application's buildout (or
virtualenv, if you use virtualenvs). This way your application (or Zope's)
nice repr will also be used.
There's a little 'help' link in the bottom-right corner of every page that describes the user interface in greater detail.
Add zodbbrowser to the list of eggs (e.g. in buildout.cfg of your app) and add this to your site.zcml::
Rerun bin/buildout, restart Zope and append @@zodbbrowser to the end of the URL to start browsing, e.g. http://localhost:8080/@@zodbbrowser. Or, if you still use ZMI (the Zope Management Interface), look for a new menu item titled "ZODB Browser".
There's a package called z3c.zodbbrowser in the Zope svn repository that implements the same idea (but without history browsing) as a GUI desktop application written using wxPython. It doesn't have a website and was never released to the Python Package Index.
There's also dm.historical
__ which provides access to object history from
an interactive Python shell.
__ https://pypi.python.org/pypi/dm.historical
If you're not interested in history or objects that cannot be reached through URL traversal, you can use the built-in object inspector that comes with Zope 3 / Grok.
ZODB Browser was developed by Tautvilas Mečinskas (tautvilas@pov.lt) and
Marius Gedminas (marius@pov.lt) from Programmers of Vilnius <https://pov.lt/>
. It is licenced under the Zope Public Licence <https://opensource.org/licenses/ZPL-2.0>
.
Please report bugs at https://github.com/mgedmin/zodbbrowser/issues.
There's an old bugtracker at https://bugs.launchpad.net/zodbbrowser but I'd really rather prefer new bugs in GitHub.
.. |buildstatus| image:: https://api.travis-ci.com/mgedmin/zodbbrowser.svg?branch=master .. _buildstatus: https://travis-ci.com/mgedmin/zodbbrowser
.. |appveyor| image:: https://ci.appveyor.com/api/projects/status/github/mgedmin/zodbbrowser?branch=master&svg=true .. _appveyor: https://ci.appveyor.com/project/mgedmin/zodbbrowser
.. |coverage| image:: https://coveralls.io/repos/mgedmin/zodbbrowser/badge.svg?branch=master .. _coverage: https://coveralls.io/r/mgedmin/zodbbrowser
0.17.1 (2020-11-25)
- Fix interpreter crash (BTree_rangeSearch: Assertion 'highbucket != NULL'
failed) in historical state computation for large OOBTrees (`GH #33 <https://github.com/mgedmin/zodbbrowser/issues/33>`__).
0.17 (2020-11-24)
~~~~~~~~~~~~~~~~~
- Fix @@zodbbrowser_history when using ZEO (AttributeError:
'TransactionIterator' object has no attribute 'close', `GH #31 <https://github.com/mgedmin/zodbbrowser/issues/31>`__).
- Fix OOBTree history browsing that regressed in 0.11.0: it was showing only a
subset of changes (those that touched the OOBTree itself) and wasn't showing
others (those that touched deeper OOBTreeBuckets).
- Fix TypeError for SampleContainer subclasses that use a non-persistent
``__data`` attribute (GH: #18)
- Make @@zodbbrowser_history give up rendering all the details if it takes
too long (more than 10 seconds); you can force fast mode by adding ``fast``
to the query parameters, and you can force full mode by adding ``full`` to
the query parameters.
- Make it possible to turn off the (slow) history part of @@zodbbrowser
by adding ``nohist`` to the query parameters.
0.16.2 (2020-11-24)
Incomplete fix for @@zodbbrowser_history when using ZEO, broken since 0.12
(AttributeError: 'TransactionIterator' object has no attribute 'close',
GH #31 <https://github.com/mgedmin/zodbbrowser/issues/31>
__).
Add support for Python 3.8 and 3.9.
Drop support for Python 3.5.
0.16.1 (2019-07-30)
- Fix system error when an object refers to another object that was
added in a newer transaction (`GH #29 <https://github.com/mgedmin/zodbbrowser/issues/29>`__).
0.16.0 (2019-07-24)
0.15.2 (2019-07-11)
- Stop depending on the obsolete ZODB3 metapackage from 2012. Instead
depend directly on persistent, BTrees, ZODB, and ZEO.
0.15.1 (2019-04-23)
0.15.0 (2019-04-02)
- Add support for Python 3.7.
- Add support for PyPy and PyPy3.
- Support zope.security proxies in PURE_PYTHON mode.
- Use our custom __repr__ instead of the new persistent one.
- Transaction IDs in generated URLs are now in hex.
- 100% test coverage.
0.14.0 (2017-11-15)
Add support for Python 3.4, 3.5, 3.6.
Drop support for ZODB 3.8.
0.13.1 (2017-10-06)
- Fixed @@zodbbrowser_history with recent versions of ZODB (AttributeError:
MVCCAdapterInstance doesn't have attribute ``iterator``).
0.13.0 (2016-11-24)
Dropped Python 2.6 support (because ZODB---more specifically BTrees---dropped it).
Fixed rollback to work with transaction
>= 2.0 (transaction notes must be
Unicode now).
0.12.0 (2015-02-25)
- Show request URLs in history record headers (`GH #7 <https://github.com/mgedmin/zodbbrowser/issues/7>`__).
- Automate ZCML loading for Plone (`GH #9 <https://github.com/mgedmin/zodbbrowser/issues/9>`__).
- Fix standalone zodbbrowser when used with Zope 2 packages (`GH #10 <https://github.com/mgedmin/zodbbrowser/issues/10>`__).
0.11.2 (2015-01-09)
GH #6 <https://github.com/mgedmin/zodbbrowser/issues/6>
__).0.11.1 (2014-12-12)
- Updated bootstrap.py (`GH #3 <https://github.com/mgedmin/zodbbrowser/issues/3>`__).
- Fixed @@zodbbrowser_history not seeing new transactions because the
cache is forever (`GH #4 <https://github.com/mgedmin/zodbbrowser/issues/4>`__).
0.11.0 (2013-05-29)
_order
or _data
attributes (I've seen the first in the wild).LP#1185175 <https://pad.lv/1185175>
__: cannot browse objects of classes that use
zope.interface.implementsOnly.0.10.4 (2012-12-19)
- The previous release was completely broken (`LP#1091716 <https://pad.lv/1091716>`__). Fix the issue,
and fix tox.ini to actually run functional tests in addition to unit tests.
0.10.3 (2012-12-06)
LP#1087138 <https://pad.lv/1087138>
__).0.10.2 (2012-11-28)
- Bugfix for POSKeyErrors when viewing BTrees of non-trivial sizes
(`LP#953480 <https://pad.lv/953480>`__). This fixes a regression introduced in version 0.10.0.
0.10.1 (2012-11-27)
Standalone app mode uses the Zope exception formatter for easier debugging.
Bugfix for weird LocationError: 'class' for some containers with custom traversal rules.
Links to persistent objects in value representations now also use hex OIDs.
0.10.0 (2012-02-29)
- Browsing of transaction records (@@zodb_history). Initial implementation so
far, unbelievably slow when you have large databases (`LP#907900 <https://pad.lv/907900>`__).
- ZODB Browser now avoids writing to the database even in read-write mode.
Previously when your objects had write-on-read semantics, those writes might
have snuck in.
- More descriptive page titles (`LP#931115 <https://pad.lv/931115>`__).
- Show object size in the header (`LP#497780 <https://pad.lv/497780>`__).
- Expand truncated values by clicking on them (`LP#931184 <https://pad.lv/931184>`__).
- More user-friendly representation of multiline text values.
- Update maintainer email in setup.py.
- Better error message for "address already in use" errors.
0.9.0 (2011-10-21)
~~~~~~~~~~~~~~~~~~
- Make it possible to use zodbbrowser as a plugin for Zope 2.12. Previously
you could only use the standalone zodbbrowser app with Zope 2.12 databases.
- Be more robust against exceptions happening in repr(): show the value as
"<unrepresentable Foo>" instead of erroring out.
- Make 'python -m zodbbrowser' run the standalone app on Python 2.5 and 2.7.
Note that 'python -m zodbbrowser.standalone' already worked on Python 2.4
through 2.7.
- Add an option to specify ZEO storage name (--storage NAME). Contributed by
Thierry Florac.
0.8.1 (2010-12-18)
~~~~~~~~~~~~~~~~~~
- Show tuple differences more clearly in the history. (Uses a really dumb
diff algorithm that just looks for a common prefix/suffix. Works really
well when you append to the end, or remove just a single item. I cannot
use difflib.SequenceMapper because there's no guarantee tuple items are
hashable.)
- Make it possible to locate an object by OID: press g, then type the oid
(hex and both decimal supported; even octal, should you wish to use it).
You can also find subobjects starting from a given OID by entering paths
like '0x1234/sub/object'.
- Catch and display unpickling errors of the current state, not just
historical older states.
- Handle missing interfaces that are directly provided by persistent objects.
This works for the standalone zodbbrowser application; the zope.interface
monkey-patch for this is too intrusive to install when using zodbbrowser
as a plugin.
- Made ``pip install zodbbrowser`` work properly by adding explicit
dependencies that easy_install would've picked up from setuptools extras.
Note: if you get ``AttributeError: __file__``, make sure
zope.app.applicationcontrol is at least version 3.5.9. Older versions will
not work with pip.
0.8.0 (2010-11-16)
~~~~~~~~~~~~~~~~~~
- Support all kinds of ZODB databases, not just those used by Zope 3/BlueBream
apps (`LP#494987 <https://pad.lv/494987>`__).
- Renders tuples and lists that contain large dicts better.
- Remove dependency on zope.dublincore/zope.app.dublincore (`LP#622180 <https://pad.lv/622180>`__).
0.7.2 (2010-08-13)
~~~~~~~~~~~~~~~~~~
- Fixed TypeError: int() can't convert non-string with explicit base
that could occur if no persistent objects were accessible from the request,
and no explicit oid was passed.
- Handle proxies better: when type(obj) != obj.__class__, show both.
- Handle ContainedProxy objects with their special persistence scheme.
0.7.1 (2010-03-30)
~~~~~~~~~~~~~~~~~~
- IMPORTANT BUGFIX: don't leave old object states lying around in ZODB object
cache, which could lead to DATA LOSS (`LP#487243 <https://pad.lv/487243>`__ strikes again, this time
for OrderedContainers).
I've audited the code and am fairly confident this bug is now dead dead
dead.
- Try to discard data modifications when the DB is opened read-only.
- Avoid deprecated zope.testing.doctest.
- Avoid zope.app.securitypolicy; use zope.securitypolicy.
0.7 (2009-12-10)
~~~~~~~~~~~~~~~~
- Stopped using setuptools extras; now easy_install zodbbrowser is sufficient
to run the standalone app.
0.6.1 (2009-12-09)
~~~~~~~~~~~~~~~~~~
- Compatibility with latest Zope packages, including ZODB 3.9.x.
0.6 (2009-12-07)
~~~~~~~~~~~~~~~~
- Ability to revert object state to an older version. Requires a read-write
database connection (i.e. run bin/zodbbrowser --rw). The button is hidden
and appears when you're hovering over a transaction entry in the list.
- Collapse long item lists by default.
0.5.1 (2009-11-23)
~~~~~~~~~~~~~~~~~~
- IMPORTANT BUGFIX: don't leave old object states lying around in ZODB object
cache, which could lead to DATA LOSS (`LP#487243 <https://pad.lv/487243>`__). This affected OOBTree
objects.
0.5 (2009-11-23)
~~~~~~~~~~~~~~~~
- Be a bit more tolerant to unpickling errors (show which revision could not
be loaded instead of breaking the whole page).
- Show full history of OOBTree objects and subobjects (`LP#474334 <https://pad.lv/474334>`__).
- Change background color of links on hover, to make it clear what
object you'll see when you click, especially when the __repr__ shown
contains reprs of subobjects.
- Show size of containers next to the "Items" heading (`LP#486910 <https://pad.lv/486910>`__).
- Show size of containers next to their representation, e.g.
"<persistent.dict.PersistentDict object at 0xad0b3ec> (0 items)".
- Pay attention when __name__ is declared as a class attribute (`LP#484899 <https://pad.lv/484899>`__).
- Show names of directly provided interfaces on objects (i.e. show a better
representation of pickled zope.interface.Provides objects).
- Pretty-printing of dictionaries (including nested ones).
0.4 (2009-10-11)
~~~~~~~~~~~~~~~~
- @@zodbbrowser oid and tid parameters now accept values in hex format (0x0123)
Patch by Adam Groszer.
0.3.1 (2009-07-17)
~~~~~~~~~~~~~~~~~~
- Fixed install error on Windows (path cannot end in /).
0.3 (2009-07-17)
~~~~~~~~~~~~~~~~
- First public release
FAQs
ZODB browser
We found that zodbbrowser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.