[Zodb-checkins] SVN: ZODB/branches/3.7/ Fixed vulnerabilities in the ZEO network protocol

Andreas Jung andreas at andreas-jung.com
Thu Aug 6 09:09:32 EDT 2009


Log message for revision 102530:
  
  Fixed vulnerabilities in the ZEO network protocol 
  affecting ZEO storage servers.
  

Changed:
  U   ZODB/branches/3.7/NEWS.txt
  U   ZODB/branches/3.7/setup.py
  U   ZODB/branches/3.7/src/ZEO/StorageServer.py
  U   ZODB/branches/3.7/src/ZEO/auth/auth_digest.py
  U   ZODB/branches/3.7/src/ZEO/tests/auth_plaintext.py
  U   ZODB/branches/3.7/src/ZEO/zrpc/connection.py
  U   ZODB/branches/3.7/src/ZEO/zrpc/marshal.py

-=-
Modified: ZODB/branches/3.7/NEWS.txt
===================================================================
--- ZODB/branches/3.7/NEWS.txt	2009-08-06 13:03:17 UTC (rev 102529)
+++ ZODB/branches/3.7/NEWS.txt	2009-08-06 13:09:32 UTC (rev 102530)
@@ -1,9 +1,15 @@
 What's new on ZODB 3.7.4?
 =========================
 
-Release date:  DD-MMM-YYYY
+Release date:  06-Aug-2009
 
+ZEO
+---
 
+- Fixed vulnerabilities in the ZEO network protocol 
+  affecting ZEO storage servers.
+
+
 What's new on ZODB 3.7.3?
 =========================
 

Modified: ZODB/branches/3.7/setup.py
===================================================================
--- ZODB/branches/3.7/setup.py	2009-08-06 13:03:17 UTC (rev 102529)
+++ ZODB/branches/3.7/setup.py	2009-08-06 13:09:32 UTC (rev 102530)
@@ -20,7 +20,7 @@
 interface, rich transaction support, and undo.
 """
 
-VERSION = "3.7.4dev"
+VERSION = "3.7.4"
 
 # The (non-obvious!) choices for the Trove Development Status line:
 # Development Status :: 5 - Production/Stable

Modified: ZODB/branches/3.7/src/ZEO/StorageServer.py
===================================================================
--- ZODB/branches/3.7/src/ZEO/StorageServer.py	2009-08-06 13:03:17 UTC (rev 102529)
+++ ZODB/branches/3.7/src/ZEO/StorageServer.py	2009-08-06 13:09:32 UTC (rev 102530)
@@ -98,7 +98,7 @@
         for func in self.extensions:
             self._extensions[func.func_name] = None
 
-    def finish_auth(self, authenticated):
+    def _finish_auth(self, authenticated):
         if not self.auth_realm:
             return 1
         self.authenticated = authenticated
@@ -356,6 +356,7 @@
 
     def new_oids(self, n=100):
         """Return a sequence of n new oids, where n defaults to 100"""
+        n = min(n, 100)
         if self.read_only:
             raise ReadOnlyError()
         if n <= 0:

Modified: ZODB/branches/3.7/src/ZEO/auth/auth_digest.py
===================================================================
--- ZODB/branches/3.7/src/ZEO/auth/auth_digest.py	2009-08-06 13:03:17 UTC (rev 102529)
+++ ZODB/branches/3.7/src/ZEO/auth/auth_digest.py	2009-08-06 13:09:32 UTC (rev 102530)
@@ -121,7 +121,7 @@
         check = hexdigest("%s:%s" % (h_up, challenge))
         if check == response:
             self.connection.setSessionKey(session_key(h_up, self._key_nonce))
-        return self.finish_auth(check == response)
+        return self._finish_auth(check == response)
 
     extensions = [auth_get_challenge, auth_response]
 

Modified: ZODB/branches/3.7/src/ZEO/tests/auth_plaintext.py
===================================================================
--- ZODB/branches/3.7/src/ZEO/tests/auth_plaintext.py	2009-08-06 13:03:17 UTC (rev 102529)
+++ ZODB/branches/3.7/src/ZEO/tests/auth_plaintext.py	2009-08-06 13:09:32 UTC (rev 102530)
@@ -41,7 +41,7 @@
             self.connection.setSessionKey(session_key(username,
                                                       self.database.realm,
                                                       password))
-        return self.finish_auth(dbpw == password_dig)
+        return self._finish_auth(dbpw == password_dig)
 
 class PlaintextClient(Client):
     extensions = ["auth"]

Modified: ZODB/branches/3.7/src/ZEO/zrpc/connection.py
===================================================================
--- ZODB/branches/3.7/src/ZEO/zrpc/connection.py	2009-08-06 13:03:17 UTC (rev 102529)
+++ ZODB/branches/3.7/src/ZEO/zrpc/connection.py	2009-08-06 13:09:32 UTC (rev 102530)
@@ -25,7 +25,7 @@
 import ThreadedAsync
 from ZEO.zrpc import smac
 from ZEO.zrpc.error import ZRPCError, DisconnectedError
-from ZEO.zrpc.marshal import Marshaller
+from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
 from ZEO.zrpc.trigger import trigger
 from ZEO.zrpc.log import short_repr, log
 from ZODB.loglevels import BLATHER, TRACE
@@ -838,6 +838,7 @@
     def __init__(self, sock, addr, obj, mgr):
         self.mgr = mgr
         self.__super_init(sock, addr, obj, 'S')
+        self.marshal = ServerMarshaller()
         self.obj.notifyConnected(self)
 
     def handshake(self):

Modified: ZODB/branches/3.7/src/ZEO/zrpc/marshal.py
===================================================================
--- ZODB/branches/3.7/src/ZEO/zrpc/marshal.py	2009-08-06 13:03:17 UTC (rev 102529)
+++ ZODB/branches/3.7/src/ZEO/zrpc/marshal.py	2009-08-06 13:09:32 UTC (rev 102530)
@@ -53,6 +53,20 @@
                 level=logging.ERROR)
             raise
 
+class ServerMarshaller(Marshaller):
+
+    def decode(self, msg):
+        """Decodes msg and returns its parts"""
+        unpickler = cPickle.Unpickler(StringIO(msg))
+        unpickler.find_global = server_find_global
+
+        try:
+            return unpickler.load() # msgid, flags, name, args
+        except:
+            log("can't decode message: %s" % short_repr(msg),
+                level=logging.ERROR)
+            raise
+
 _globals = globals()
 _silly = ('__doc__',)
 
@@ -77,3 +91,19 @@
         return r
 
     raise ZRPCError("Unsafe global: %s.%s" % (module, name))
+
+def server_find_global(module, name):
+    """Helper for message unpickler"""
+    try:
+        if module != 'ZopeUndo.Prefix':
+            raise ImportError
+        m = __import__(module, _globals, _globals, _silly)
+    except ImportError, msg:
+        raise ZRPCError("import error %s: %s" % (module, msg))
+
+    try:
+        r = getattr(m, name)
+    except AttributeError:
+        raise ZRPCError("module %s has no global %s" % (module, name))
+
+    return r



More information about the Zodb-checkins mailing list