[Zope] Re: Security Bug -- To be fixed in Zope 2.7.5
Greg Fischer
retheoff at gmail.com
Tue Mar 15 11:44:29 EST 2005
Thank for that Tres! It works great!
Greg
On Thu, 10 Mar 2005 15:26:41 -0500, Tres Seaver <tseaver at zope.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dieter Maurer wrote:
> | Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
> |
> |>...
> |>
> |>>It should not be necessary:
> |>>
> |>> A user should not be able to access any *protected* (!) object
> |>> outside the subhierarchy governed by the user folder
> |>> that authenticated the user.
> |>>
> |>>But maybe, we have a bug (and "aq_inContextOf" does not work
> |>>as expected).
> |>
> |>Yes, this shouldn't be necessary, and it looks like it's a bug.
> |>
> |>Looks to me like the bug is in User.py's allowed method. Quite simply,
> |>when it checks for the Authenticated role, it doesn't call
> |>self._check_context,
> |>so never attempts to detect and foil acquisition
> |>tricks. Unless I'm missing something, it should be a quick and easy fix.
> |
> |
> | You are right!
>
> Yep. The only hard part will be writing a decent unit test which
> exercises the bug:
>
> - -------------------- 8< ------------------
> diff -u -r1.176.14.7 User.py
> - --- lib/python/AccessControl/User.py 25 Jan 2005 13:46:14 -0000
> 1.176.14.7
> +++ lib/python/AccessControl/User.py 10 Mar 2005 20:26:53 -0000
> @@ -182,7 +182,8 @@
> ~ # role and user is not nobody
> ~ if 'Authenticated' in object_roles and (
> ~ self.getUserName() != 'Anonymous User'):
> - - return 1
> + if self._check_context(object):
> + return 1
>
> ~ # Check for ancient role data up front, convert if found.
> ~ # This should almost never happen, and should probably be
> - -------------------- 8< ------------------
>
> Tres.
> - --
> ===============================================================
> Tres Seaver tseaver at zope.com
> Zope Corporation "Zope Dealers" http://www.zope.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt
> ZgoCjc6pOE8AjdSy6a7CUj8=
> =RLrC
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
--
Greg Fischer
1st Byte Solutions
http://www.1stbyte.com
More information about the Zope
mailing list