AccessControl bug fixed
Hello, I found a bug in ZopeSecurityPolicy and fixed it. http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy... Is it possible to release new version? Regards, -- Yusei TAHARA <yusei@domen.cx>
On 22 August 2012 18:30, Yusei TAHARA <yusei@domen.cx> wrote:
Hello,
I found a bug in ZopeSecurityPolicy and fixed it.
http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy...
Is it possible to release new version?
Are we sure this wasn't done on purpose? At least it needs some review, there's lots of weird caching and lazy loading of global variables in that module. I *think* it's fine looking at the diff, but a second opinion would be useful. Martin
On Wed, Aug 22, 2012 at 3:00 PM, Yusei TAHARA <yusei@domen.cx> wrote:
I found a bug in ZopeSecurityPolicy and fixed it.
http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy...
Is it possible to release new version?
I can do that. But is there any chance you could write a test for this. Or at least tell us how you found this bug? Hanno
Hi, does this have any security implications?
On Wed, Aug 22, 2012 at 3:00 PM, Yusei TAHARA <yusei@domen.cx> wrote:
I found a bug in ZopeSecurityPolicy and fixed it.
http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy...
Is it possible to release new version?
I can do that. But is there any chance you could write a test for this. Or at least tell us how you found this bug?
Hanno _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
-- Nidelven IT || We know Python, Zope & Plone http://www.nidelven-it.no/
On Thu, Aug 23, 2012 at 5:23 PM, <lists@nidelven-it.no> wrote:
does this have any security implications?
In short: No. Long answer: Not unless you have very custom code similar to what's in the provided test (providing a custom rolesForPermissionOn callable on a class). And that code would have never worked as intended or at least it would have already been broken in Zope 2.12. Hanno
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/23/2012 11:23 AM, lists@nidelven-it.no wrote:
does this have any security implications?
The bug doesn't provide any obvious attack vector. Applications which used the doubly-unusual feature ('__roles__' being a class instance, rather than a list or tuple, and in addition having a 'rolesForPermission' method) would have the last-used such class have its 'rolesForPermission' used instead of the normal 'global' one in subsequent initial checks inside 'AccessControl.ZopeSecurityPolicy.get_roles'. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA2TZoACgkQ+gerLs4ltQ7vgACeJgsWIhIcxuWKQkqAHFGEzm3L 3vYAoMf+kVHsWMqmEHilIqAoxzLKQjIq =mlGW -----END PGP SIGNATURE-----
participants (5)
-
Hanno Schlichting -
lists@nidelven-it.no -
Martin Aspeli -
Tres Seaver -
Yusei TAHARA