RE: [Zope] Re: Security Bug -- To be fixed in Zope 2.7.5
Not to be a nag, but is there a date when this fix will be available?? Either in 2.7.5RC# or otherwise?? I admit I am not much of a Python programmer, as of yet, so most of what I am seeing is unfamiliar to me about where the fix is. Jay -----Original Message----- From: Tres Seaver [mailto:tseaver@zope.com] Sent: Thursday, March 10, 2005 3:27 PM To: zope@zope.org Cc: andreas.jung@haufe.de Subject: [Zope] Re: Security Bug -- To be fixed in Zope 2.7.5 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dieter Maurer wrote: | Malcolm Cleaton wrote at 2005-3-10 10:07 +0000: | |>... |> |>>It should not be necessary: |>> |>> A user should not be able to access any *protected* (!) object |>> outside the subhierarchy governed by the user folder |>> that authenticated the user. |>> |>>But maybe, we have a bug (and "aq_inContextOf" does not work |>>as expected). |> |>Yes, this shouldn't be necessary, and it looks like it's a bug. |> |>Looks to me like the bug is in User.py's allowed method. Quite simply, |>when it checks for the Authenticated role, it doesn't call |>self._check_context, |>so never attempts to detect and foil acquisition |>tricks. Unless I'm missing something, it should be a quick and easy fix. | | | You are right! Yep. The only hard part will be writing a decent unit test which exercises the bug: - -------------------- 8< ------------------ diff -u -r1.176.14.7 User.py - --- lib/python/AccessControl/User.py 25 Jan 2005 13:46:14 -0000 1.176.14.7 +++ lib/python/AccessControl/User.py 10 Mar 2005 20:26:53 -0000 @@ -182,7 +182,8 @@ ~ # role and user is not nobody ~ if 'Authenticated' in object_roles and ( ~ self.getUserName() != 'Anonymous User'): - - return 1 + if self._check_context(object): + return 1 ~ # Check for ancient role data up front, convert if found. ~ # This should almost never happen, and should probably be - -------------------- 8< ------------------ Tres. - -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt ZgoCjc6pOE8AjdSy6a7CUj8= =RLrC -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
This will be in 2.7.5 final. -aj --On Mittwoch, 16. März 2005 7:40 Uhr -0500 Jay Zeemer <jzeemer@edcor.com> wrote:
Not to be a nag, but is there a date when this fix will be available?? Either in 2.7.5RC# or otherwise?? I admit I am not much of a Python programmer, as of yet, so most of what I am seeing is unfamiliar to me about where the fix is.
Jay
-----Original Message----- From: Tres Seaver [mailto:tseaver@zope.com] Sent: Thursday, March 10, 2005 3:27 PM To: zope@zope.org Cc: andreas.jung@haufe.de Subject: [Zope] Re: Security Bug -- To be fixed in Zope 2.7.5
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dieter Maurer wrote: | Malcolm Cleaton wrote at 2005-3-10 10:07 +0000: | |> ... |> |>> It should not be necessary: |>> |>> A user should not be able to access any *protected* (!) object |>> outside the subhierarchy governed by the user folder |>> that authenticated the user. |>> |>> But maybe, we have a bug (and "aq_inContextOf" does not work |>> as expected). |> |> Yes, this shouldn't be necessary, and it looks like it's a bug. |> |> Looks to me like the bug is in User.py's allowed method. Quite simply, |> when it checks for the Authenticated role, it doesn't call |> self._check_context, |> so never attempts to detect and foil acquisition |> tricks. Unless I'm missing something, it should be a quick and easy fix. | | | You are right!
Yep. The only hard part will be writing a decent unit test which exercises the bug:
- -------------------- 8< ------------------ diff -u -r1.176.14.7 User.py - --- lib/python/AccessControl/User.py 25 Jan 2005 13:46:14 -0000 1.176.14.7 +++ lib/python/AccessControl/User.py 10 Mar 2005 20:26:53 -0000 @@ -182,7 +182,8 @@ ~ # role and user is not nobody ~ if 'Authenticated' in object_roles and ( ~ self.getUserName() != 'Anonymous User'): - - return 1 + if self._check_context(object): + return 1
~ # Check for ancient role data up front, convert if found. ~ # This should almost never happen, and should probably be - -------------------- 8< ------------------
Tres. - -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt ZgoCjc6pOE8AjdSy6a7CUj8= =RLrC -----END PGP SIGNATURE-----
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Any dates for that yet? Andreas Jung wrote:
This will be in 2.7.5 final.
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
The release plan has been posted to zope-coders *wink* -aj --On Donnerstag, 17. März 2005 11:40 Uhr +0000 Chris Withers <chris@simplistix.co.uk> wrote:
Any dates for that yet?
Andreas Jung wrote:
This will be in 2.7.5 final.
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
participants (3)
-
Andreas Jung -
Chris Withers -
Jay Zeemer