[CMF-checkins] CVS: CMF/CMFHotfix_20031026 - README.txt:1.1
__init__.py:1.1 version.txt:1.1
Tres Seaver
cvs-admin at zope.org
Mon Oct 27 14:44:58 EST 2003
Update of /cvs-repository/CMF/CMFHotfix_20031026
In directory cvs.zope.org:/tmp/cvs-serv6501/CMFHotfix_20031026
Added Files:
README.txt __init__.py version.txt
Log Message:
- Check in hotfix product.
=== Added File CMF/CMFHotfix_20031026/README.txt ===
CMF Hotfix Release, 2003/10/26
Overview
This hotfix product addresses two issues with the Zope Content
Management Framework (CMF):
- It changes the permission assigned to the 'searchMembers'
method of the 'portal_membership' tool. This method exposes user
IDs and other information about site members, and could be used by a
sufficiently clever cracker to mount an attack on the site.
- It patches the 'registeredNotify' method of the 'portal_registration'
tool, removing the possibility that an attacker might inject a
hostile e-mail address into the mail which it generates.
Zope Corporation recommends that all CMF-based sites upgrade to a version
(see below) which contains the fix for this issue. Sites which for some
reason cannot upgrade may instead install this hotfix product.
Affected Versions
Users of CMF version 1.4.1 are potentially affected by this issue,
as are users of version 1.3.2 and earlier. Versions 1.3.3 and 1.4.2
will contain this fix, and therefore will not require this hotfix.
Obtaining the Hotfix
The hotfix is available in two formats:
- As a "Unix tarball",
http://cmf.zope.org/download/CMFHotfix_20031026/CMFHotfix_20031026.tar.gz
- As a "Windows zipfile",
http://cmf.zope.org/download/CMFHotfix_20031026/CMFHotfix_20031026.zip
Installing the Hotfix
1. Unpack the tarball into a working directory, and then move or link
the 'CMFHotfix_20031026' directory into the Products directory of
your '$INSTANCE_HOME' (next to 'CMFCore', 'CMFDefault', etc.).
2. Restart Zope.
E.g., assuming that you have Zope installed in '/usr/lib/Zope-2.6.1'
(the '$SOFTWARE_HOME'), and that your instance data is in
'/var/zope/instance' (the '$INSTANCE_HOME')::
$ cd /var/zope/instance/Products
$ tar xzf /tmp/CMFHotfix_20031026.tar.gz
$ cd /var/zope/instance
$ kill -HUP `cat var/Z2.pid`
Windows users should unzip the ZIP file and move the extracted
'CMFHotfix_20031026' folder to their Zope's 'Products' folder.
Uninstalling the Hotfix
You may remove the 'CMFHotfix_20031026' product directory after upgrading
to one of the updated versions of CMF (1.3.3, 1.4.2, or later). E.g.::
$ cd /var/zope/instance/Products
$ rm -r CMFHotfix_20031026
=== Added File CMF/CMFHotfix_20031026/__init__.py ===
""" CMFHotfix_20031026 product.
Please see the README.txt for affected versions, installation, etc.
$Id: __init__.py,v 1.1 2003/10/27 19:44:57 tseaver Exp $
"""
from zLOG import LOG, INFO
from AccessControl.PermissionRole import PermissionRole
from Products.CMFCore.CMFCorePermissions import View, ListPortalMembers
from Products.CMFCore.MembershipTool import MembershipTool as MTool
from Products.CMFCore.utils import getToolByName
from Products.CMFDefault.RegistrationTool import RegistrationTool as RTool
def _update_MembershipTool_searchMembers_permission():
""" Repair Collector #189 by careful surgery on the class dictionary
of MembershipTool.
"""
new_permissions = []
for k, v in MTool.__ac_permissions__:
if k == View:
new_v = [ x for x in v if x != 'searchMembers' ]
v = tuple( new_v )
new_permissions.append( ( k, v ) )
new_permissions.append( ( ListPortalMembers, ( 'searchMembers', ) ) )
MTool.__ac_permissions__ = tuple( new_permissions )
MTool.searchMembers__roles__ = PermissionRole( ListPortalMembers
, ( 'Manager', )
)
LOG( "CMFHotfix_20031026", INFO
, "Updated permission on "
+ "CMFCore.MembershipTool.MembershipTool.searchMembers"
+ " from 'View' to 'List portal members'"
)
def _safer_registeredNotify( self, new_member_id ):
""" Handle mailing the registration / welcome message.
"""
membership = getToolByName( self, 'portal_membership' )
member = membership.getMemberById( new_member_id )
if member is None:
raise 'NotFound', 'The username you entered could not be found.'
password = member.getPassword()
email = member.getProperty( 'email' )
if email is None:
raise ValueError( 'No email address is registered for member: %s'
% new_member_id )
# Rather than have the template try to use the mailhost, we will
# render the message ourselves and send it from here (where we
# don't need to worry about 'UseMailHost' permissions).
mail_text = self.registered_notify_template( self
, self.REQUEST
, member=member
, password=password
, email=email
)
host = self.MailHost
host.send( mail_text )
return self.mail_password_response( self, self.REQUEST )
def _monkeyPatch_RegistrationTool_registerNotify():
""" Don't allow the user to smuggle in an email address via the request.
"""
RTool.registeredNotify = _safer_registeredNotify
LOG( "CMFHotfix_20031026", INFO
, "Monkey patched "
+ "CMFDefault.RegistrationTool.RegistrationTool.registerdNotify"
+ " to prevent email forgery"
)
def initialize( context ):
_update_MembershipTool_searchMembers_permission()
_monkeyPatch_RegistrationTool_registerNotify()
=== Added File CMF/CMFHotfix_20031026/version.txt ===
20031026
More information about the CMF-checkins
mailing list