[Zope] Re: Security Bug -- To be fixed in Zope 2.7.5
Jay Zeemer
jzeemer at edcor.com
Wed Mar 16 07:40:59 EST 2005
Not to be a nag, but is there a date when this fix will be available??
Either in 2.7.5RC# or otherwise?? I admit I am not much of a Python
programmer, as of yet, so most of what I am seeing is unfamiliar to me about
where the fix is.
Jay
-----Original Message-----
From: Tres Seaver [mailto:tseaver at zope.com]
Sent: Thursday, March 10, 2005 3:27 PM
To: zope at zope.org
Cc: andreas.jung at haufe.de
Subject: [Zope] Re: Security Bug -- To be fixed in Zope 2.7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dieter Maurer wrote:
| Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
|
|>...
|>
|>>It should not be necessary:
|>>
|>> A user should not be able to access any *protected* (!) object
|>> outside the subhierarchy governed by the user folder
|>> that authenticated the user.
|>>
|>>But maybe, we have a bug (and "aq_inContextOf" does not work
|>>as expected).
|>
|>Yes, this shouldn't be necessary, and it looks like it's a bug.
|>
|>Looks to me like the bug is in User.py's allowed method. Quite simply,
|>when it checks for the Authenticated role, it doesn't call
|>self._check_context,
|>so never attempts to detect and foil acquisition
|>tricks. Unless I'm missing something, it should be a quick and easy fix.
|
|
| You are right!
Yep. The only hard part will be writing a decent unit test which
exercises the bug:
- -------------------- 8< ------------------
diff -u -r1.176.14.7 User.py
- --- lib/python/AccessControl/User.py 25 Jan 2005 13:46:14 -0000
1.176.14.7
+++ lib/python/AccessControl/User.py 10 Mar 2005 20:26:53 -0000
@@ -182,7 +182,8 @@
~ # role and user is not nobody
~ if 'Authenticated' in object_roles and (
~ self.getUserName() != 'Anonymous User'):
- - return 1
+ if self._check_context(object):
+ return 1
~ # Check for ancient role data up front, convert if found.
~ # This should almost never happen, and should probably be
- -------------------- 8< ------------------
Tres.
- --
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt
ZgoCjc6pOE8AjdSy6a7CUj8=
=RLrC
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist - Zope at zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list