[Zope-dev] Re: Zope security alert and hotfix product...

Toby Dickenson tdickenson@geminidataloggers.com
Mon, 14 Aug 2000 10:03:23 +0100


On Thu, 10 Aug 2000 14:15:29 -0400, Brian Lloyd <Brian@digicool.com>
wrote:


>  The issue involves the fact that the getRoles method of user objects 
>  contained in the default UserFolder implementation returns a mutable 
>  Python type. Because the mutable object is still associated with the 
>  persistent User object, users with the ability to edit DTML could 
>  arrange to give themselves extra roles for the duration of a single 
>  request by mutating the roles list as a part of the request
>processing. 

OK, so I can exploit this with something similar to
user.getRoles().append('A Role That I Dont Have')

But, why isnt the append method covered by the new
inaccessible-by-default 2.2 security rules?


Toby Dickenson
tdickenson@geminidataloggers.com