[Zope] Re: Security Bug -- To be fixed in Zope 2.7.5
Tres Seaver
tseaver at zope.com
Thu Mar 10 15:26:41 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dieter Maurer wrote:
| Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
|
|>...
|>
|>>It should not be necessary:
|>>
|>> A user should not be able to access any *protected* (!) object
|>> outside the subhierarchy governed by the user folder
|>> that authenticated the user.
|>>
|>>But maybe, we have a bug (and "aq_inContextOf" does not work
|>>as expected).
|>
|>Yes, this shouldn't be necessary, and it looks like it's a bug.
|>
|>Looks to me like the bug is in User.py's allowed method. Quite simply,
|>when it checks for the Authenticated role, it doesn't call
|>self._check_context,
|>so never attempts to detect and foil acquisition
|>tricks. Unless I'm missing something, it should be a quick and easy fix.
|
|
| You are right!
Yep. The only hard part will be writing a decent unit test which
exercises the bug:
- -------------------- 8< ------------------
diff -u -r1.176.14.7 User.py
- --- lib/python/AccessControl/User.py 25 Jan 2005 13:46:14 -0000
1.176.14.7
+++ lib/python/AccessControl/User.py 10 Mar 2005 20:26:53 -0000
@@ -182,7 +182,8 @@
~ # role and user is not nobody
~ if 'Authenticated' in object_roles and (
~ self.getUserName() != 'Anonymous User'):
- - return 1
+ if self._check_context(object):
+ return 1
~ # Check for ancient role data up front, convert if found.
~ # This should almost never happen, and should probably be
- -------------------- 8< ------------------
Tres.
- --
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt
ZgoCjc6pOE8AjdSy6a7CUj8=
=RLrC
-----END PGP SIGNATURE-----
More information about the Zope
mailing list