[Zodb-checkins] CVS: ZODB3/ZEO - ClientStorage.py:1.106.4.3
Jeremy Hylton
jeremy at zope.com
Fri Sep 19 15:01:58 EDT 2003
Update of /cvs-repository/ZODB3/ZEO
In directory cvs.zope.org:/tmp/cvs-serv25006/ZEO
Modified Files:
Tag: Zope-2_7-branch
ClientStorage.py
Log Message:
Fix security problem in ZEO authentication code.
There were two serious bugs:
- The smac layer would accept a message without a MAC even after the
session key was established.
- The client never initialized its session key, so it never checked
incoming messages or created MACs for outgoing messags.
Fixed both, but still need to change the smac layer so that it has
separate HMAC objects for each end of the connection.
=== ZODB3/ZEO/ClientStorage.py 1.106.4.2 => 1.106.4.3 ===
--- ZODB3/ZEO/ClientStorage.py:1.106.4.2 Mon Sep 15 14:02:59 2003
+++ ZODB3/ZEO/ClientStorage.py Fri Sep 19 15:01:27 2003
@@ -434,8 +434,10 @@
auth = stub.getAuthProtocol()
log2(INFO, "Server authentication protocol %r" % auth)
if auth:
- if self.doAuth(auth, stub):
+ skey = self.doAuth(auth, stub)
+ if skey:
log2(INFO, "Client authentication successful")
+ conn.setSessionKey(skey)
else:
log2(ERROR, "Authentication failed")
raise AuthError, "Authentication failed"
More information about the Zodb-checkins
mailing list