[Zope] Major security flaw in Zope 2.3.2

Jerome Alet alet@unice.fr
Wed, 6 Jun 2001 21:07:19 +0200


On Wed, Jun 06, 2001 at 02:22:28PM -0400, Brian Lloyd wrote:

> There has been a proposal by Ross Lazarus about this since 
> Jan. 28, 2001:
> 
> http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords

I've read it.

So just a question: What are you waiting for before implementing it ?

The proposed patch complete with method definition and docstring, taking 
care of two different encryption methods is 13 lines long !

Just what I called a one liner.

The original author didn't submit a patch to encrypt all unencrypted user 
passwords to take care of existing Data.fs files, so what ? Do you want me
to write it ?

Every time Zope is launched and recreate its index, just take care of it,
encrypt unencrypted passwords and update the ZODB automatically.

This wouldn't slow down Zope when running, only when it's restarted.

I understand that there's the problem of existing third party products 
which may expect unencrypted passwords: just do it anyway and inform
people. I suppose there won't be hundreds of such third party products.

Just do a poll: does any reader of this list expects such a bad 
behavior in his own Zope products ?

bye,

Jerome Alet