Comment 0 for bug 627988

This has been observed with regular plone installations, but the root cause is in zope.

The easiest way to trigger this behaviour, is buildbot.

Create this buildout.cfg:

[buildout]
extends=http://svn.plone.org/svn/collective/buildout/plonetest/plone-3.3.5.cfg

Get yourself a copy of bootstrap.py and run buildout.

Start zope.
Create a zope site
add a page.
log out
as anonymous, create an url like this: http://yoursite/plone/new_page?came_from:list=123

This request will trigger an exception in the exception handling. The exception does not get caught anywhere, causing the thread to be killed.
Doing this four times, kills all threads, the zope process itself continues to run.

This problem does not occur with Zope 2.12. There The ZServer has a catchall exception handler that covers the issue.

I created a branch from the 2.10 branch:
svn+ssh://<email address hidden>/repos/main/Zope/branches/do3cc_catchall

It contains the same changes as they happened in Zope 2.12. On retrying the above procedure, the user does not get any answer, but the thread also does not die.

I'll mark this issue as a security vulnerability because I want the bug to be private.

This bug was originally reported by somebody else.