[Zope-dev] AccessControl bug fixed
Tres Seaver
tseaver at palladion.com
Thu Aug 23 15:34:56 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/23/2012 11:23 AM, lists at nidelven-it.no wrote:
> does this have any security implications?
The bug doesn't provide any obvious attack vector. Applications which
used the doubly-unusual feature ('__roles__' being a class instance,
rather than a list or tuple, and in addition having a
'rolesForPermission' method) would have the last-used such class have its
'rolesForPermission' used instead of the normal 'global' one in
subsequent initial checks inside
'AccessControl.ZopeSecurityPolicy.get_roles'.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlA2TZoACgkQ+gerLs4ltQ7vgACeJgsWIhIcxuWKQkqAHFGEzm3L
3vYAoMf+kVHsWMqmEHilIqAoxzLKQjIq
=mlGW
-----END PGP SIGNATURE-----
More information about the Zope-Dev
mailing list