[CMF-checkins] SVN: CMF/branches/1.6/C MAke the last of the POST only fixes and update history

Alec Mitchell apm13 at columbia.edu
Sun Apr 15 00:39:04 EDT 2007 

Log message for revision 74141:
  MAke the last of the POST only fixes and update history
  

Changed:
  U   CMF/branches/1.6/CHANGES.txt
  U   CMF/branches/1.6/CMFCore/MembershipTool.py

-=-
Modified: CMF/branches/1.6/CHANGES.txt
===================================================================
--- CMF/branches/1.6/CHANGES.txt	2007-04-15 00:05:02 UTC (rev 74140)
+++ CMF/branches/1.6/CHANGES.txt	2007-04-15 04:39:02 UTC (rev 74141)
@@ -1,3 +1,11 @@
+CMF 1.6.4 (unreleased):
+
+  Bug Fixes
+
+    - Add POST-only protections to security critical methods (see
+      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0240).
+      [mj, bloodbare, alecm]
+
 CMF 1.6.3 (2007/02/02)
 
   No changes since CMF 1.6.3-beta

Modified: CMF/branches/1.6/CMFCore/MembershipTool.py
===================================================================
--- CMF/branches/1.6/CMFCore/MembershipTool.py	2007-04-15 00:05:02 UTC (rev 74140)
+++ CMF/branches/1.6/CMFCore/MembershipTool.py	2007-04-15 04:39:02 UTC (rev 74141)
@@ -90,7 +90,7 @@
     manage_mapRoles = DTMLFile('membershipRolemapping', _dtmldir )
 
     security.declareProtected(SetOwnPassword, 'setPassword')
-    def setPassword(self, password, domains=None):
+    def setPassword(self, password, domains=None, REQUEST=None):
         '''Allows the authenticated member to set his/her own password.
         '''
         registration = getToolByName(self, 'portal_registration', None)
@@ -103,6 +103,7 @@
             member.setSecurityProfile(password=password, domains=domains)
         else:
             raise BadRequest('Not logged in.')
+    setPassword = postonly(setPassword)
 
     security.declarePublic('getAuthenticatedMember')
     def getAuthenticatedMember(self):
@@ -167,7 +168,7 @@
         return roles
 
     security.declareProtected(ManagePortal, 'setRoleMapping')
-    def setRoleMapping(self, portal_role, userfolder_role):
+    def setRoleMapping(self, portal_role, userfolder_role, REQUEST=None):
         """
         set the mapping of roles between roles understood by
         the portal and roles coming from outside user sources
@@ -183,6 +184,7 @@
                title  ='Mapping updated',
                message='The Role mappings have been updated',
                action ='manage_mapRoles')
+    setRoleMapping = postonly(setRoleMapping)
 
     security.declareProtected(ManagePortal, 'getMappedRole')
     def getMappedRole(self, portal_role):

More information about the CMF-checkins mailing list