- Merge a number of entangled issues from 2.6 / 2.7 audit:

    Iteration over sequences could in some cases fail to check access
    to an object obtained from the sequence. Subsequent checks (such
    as for attributes access) of such an object would still be
    performed, but it should not have been possible to obtain the
    object in the first place.

    List and dictionary instance methods such as the get method of
    dictionary objects were not security aware and could return an
    object without checking access to that object. Subsequent checks
    (such as for attributes access) of such an object would still be
    performed, but it should not have been possible to obtain the
    object in the first place.

    Use of "import as" in Python scripts could potentially rebind
    names in ways that could be used to avoid appropriate security
    checks.

    A number of newer built-ins were either unavailable in untrusted
    code or did not perform adequate security checking.

    Unpacking via function calls, variable assignment, exception
    variables and other contexts did not perform adequate security
    checks, potentially allowing access to objects that should have
    been protected.

    Class security was not properly intialized for PythonScripts,
    potentially allowing access to variables that should be protected.
    It turned out that most of the security assertions were in fact
    activated as a side effect of other code, but this fix is still
    appropriate to ensure that all security declarations are properly
    applied.

    DTMLMethods with proxy rights could incorrectly transfer those
    rights via acquisition when traversing to a parent object.

  - Wire up security policy selection machinery to ZConfig (note that the
    'C' policy is currently borked, but should be fixed very soon).

  - Don't allow Unicode strings to be passed to response.write() (merged
    from 2.6 / 2.7 audit).

  - HTTPResponse.py:  CGI escapes (merged from 2.6 / 2.7 audit).

  - xmlrpc.py:  Exclude "private" attributes when marshalling an instance
    as an XML-RPC dict (merged from 2.6 / 2.7 audit).

  - SimpleTree.py:  CGI escapes (merged from 2.6 / 2.7 audit).

  - Tree.py:  prevent DoS agains tree state cookie decompression (merged
    from 2.6 / 2.7 audit).

  - Prevent DoS attack against decompression of tree state cookie (merged
    from 2.6 / 2.7 audit).

  - Bindings.py:  verify access to 'context' and 'container' names before
    returning (merged from 2.6 / 2.7 audit).

  - dtml/scriptTry.dtml:  CGI escapes (merged from 2.6 / 2.7 audit).

  - CGI escape merge (from 2.6 / 2.7 audit).

  - Store 'lines' and 'tokens' properties as tuples, not lists (merge from
    2.6 / 2.7 audit).

  - Add security assertions for FindSupport (merge from 2.6 / 2.7 audit).

  - Disentangle permission settings for related classes (merge from 2.6
    / 2.7 audit).

  - Merge CGI-escape templating changes from 2.6 / 2.7 audit work.

  - Use 'test.py' as the driver for 'make test', rather than
    'utilities/testrunner.py'.

Collector #1074: Change Scripts' __name__ to None, added unit tests for the effect of __name__ on class definitions and imports.

Adds an option to spawn a process and capture its I/O.  Just a
checkpoint because it doesn't do anything with the captured I/O yet.

Refactor the main SvcDoRun() method to make it a little easier to
read.  Move the details of log messages to helper methods.  Trim
comments that explain obvious code.

Make log messages read the same as zdaemon log messages.

Don't throw misleading warnings about duplicate products on product path unless there actually are duplicate products on product path.� Also, add unit tests for product initialization.

- removed redundant import

     - Range searches with KeywordIndexes did not work with record-style
       query parameters

     - Using "_usage" parameters in a ZCatalog query is deprecated and
       logged as DeprecationWarning.

ZConfig.components.logger, adding only what's special about the zLOG
version of the factory

       logged as DeprecationWarning.

ZConfig.logger.log type, since it does

the logging package; this avoids lots of code duplication