Security Bug -- To be fixed in Zope 2.7.5
(was: Re: [Zope] Re: Re: Re: Blocking Sibling inheritance)
Dieter Maurer
dieter at handshake.de
Thu Mar 10 13:33:06 EST 2005
Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
> ...
>> It should not be necessary:
>>
>> A user should not be able to access any *protected* (!) object
>> outside the subhierarchy governed by the user folder
>> that authenticated the user.
>>
>> But maybe, we have a bug (and "aq_inContextOf" does not work
>> as expected).
>
>Yes, this shouldn't be necessary, and it looks like it's a bug.
>
>Looks to me like the bug is in User.py's allowed method. Quite simply,
>when it checks for the Authenticated role, it doesn't call
>self._check_context,
>so never attempts to detect and foil acquisition
>tricks. Unless I'm missing something, it should be a quick and easy fix.
You are right!
--
Dieter
More information about the Zope
mailing list