[Checkins] SVN: ZODB/branches/3.8/ Bugs Fixed:

Jim Fulton jim at zope.com
Tue Sep 1 06:18:06 EDT 2009 

Log message for revision 103427:
  Bugs Fixed:
  
  - CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
    blobs are available. Someone with write access to a ZEO server
    configured to support blobs could read any file on the system
    readable by the server process and remove any file removable by the
    server process.
  

Changed:
  U   ZODB/branches/3.8/NEWS.txt
  U   ZODB/branches/3.8/setup.py
  U   ZODB/branches/3.8/src/ZEO/StorageServer.py

-=-
Modified: ZODB/branches/3.8/NEWS.txt
===================================================================
--- ZODB/branches/3.8/NEWS.txt	2009-09-01 09:24:02 UTC (rev 103426)
+++ ZODB/branches/3.8/NEWS.txt	2009-09-01 10:18:05 UTC (rev 103427)
@@ -10,6 +10,12 @@
 
 Bugs Fixed:
 
+- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
+  blobs are available. Someone with write access to a ZEO server
+  configured to support blobs could read any file on the system
+  readable by the server process and remove any file removable by the
+  server process.
+
 - Fixed ``NameError`` in cases where a directory cannot be created,
   e.g. when the necessary permissions are missing.
 

Modified: ZODB/branches/3.8/setup.py
===================================================================
--- ZODB/branches/3.8/setup.py	2009-09-01 09:24:02 UTC (rev 103426)
+++ ZODB/branches/3.8/setup.py	2009-09-01 10:18:05 UTC (rev 103427)
@@ -20,7 +20,7 @@
 interface, rich transaction support, and undo.
 """
 
-VERSION = "3.8.3dev"
+VERSION = "3.8.3"
 
 # The (non-obvious!) choices for the Trove Development Status line:
 # Development Status :: 5 - Production/Stable

Modified: ZODB/branches/3.8/src/ZEO/StorageServer.py
===================================================================
--- ZODB/branches/3.8/src/ZEO/StorageServer.py	2009-09-01 09:24:02 UTC (rev 103426)
+++ ZODB/branches/3.8/src/ZEO/StorageServer.py	2009-09-01 10:18:05 UTC (rev 103427)
@@ -530,7 +530,7 @@
         assert self.blob_tempfile is None
         self.blob_tempfile = tempfile.mkstemp(
             dir=self.storage.temporaryDirectory())
-        
+
     def storeBlobChunk(self, chunk):
         os.write(self.blob_tempfile[0], chunk)
 
@@ -542,6 +542,16 @@
 
     def storeBlobShared(self, oid, serial, data, filename, version, id):
         # Reconstruct the full path from the filename in the OID directory
+        if (os.path.sep in filename
+            or not (filename.endswith('.tmp')
+                    or filename[:-1].endswith('.tmp')
+                    )
+            ):
+            logger.critical(
+                "We're under attack! (bad filename to storeBlobShared, %r)",
+                filename)
+            raise ValueError(filename)
+
         filename = os.path.join(self.storage.fshelper.getPathForOID(oid),
                                 filename)
         self.blob_log.append((oid, serial, data, filename, version))

More information about the checkins mailing list