[Zope-dev] Re: Zope security alert and hotfix product...
Toby Dickenson
tdickenson@geminidataloggers.com
Mon, 14 Aug 2000 10:03:23 +0100
On Thu, 10 Aug 2000 14:15:29 -0400, Brian Lloyd <Brian@digicool.com>
wrote:
> The issue involves the fact that the getRoles method of user objects
> contained in the default UserFolder implementation returns a mutable
> Python type. Because the mutable object is still associated with the
> persistent User object, users with the ability to edit DTML could
> arrange to give themselves extra roles for the duration of a single
> request by mutating the roles list as a part of the request
>processing.
OK, so I can exploit this with something similar to
user.getRoles().append('A Role That I Dont Have')
But, why isnt the append method covered by the new
inaccessible-by-default 2.2 security rules?
Toby Dickenson
tdickenson@geminidataloggers.com