[zope2-tracker] [Bug 1079238] [NEW] App.Undo.UndoSupport.get_request_var_or_attr exposes attributes
Tres Seaver
tseaver at palladion.com
Thu Nov 15 15:12:58 UTC 2012
*** This bug is a security vulnerability ***
Public security bug reported:
Historical bug: prior to r123753 (2.12 branch) and forward-ports, the
'get_request_far_or_attr' helper function of App.Undo.UndoSupport
could be abused to gain access to protected attributes of the context.
Fix released 2011-12-12 with 2.12.21 and 2.13.11
** Affects: zope2
Importance: Undecided
Status: Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-5489
--
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/1079238
Title:
App.Undo.UndoSupport.get_request_var_or_attr exposes attributes
To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/1079238/+subscriptions
More information about the zope2-tracker
mailing list