[Zope-Checkins] SVN: Zope/hotfixes/ Undo botched import

Martijn Pieters mj at zopatista.com
Tue Mar 20 05:10:29 EDT 2007


Log message for revision 73392:
  Undo botched import

Changed:
  D   Zope/hotfixes/README.txt
  D   Zope/hotfixes/__init__.py
  D   Zope/hotfixes/tests/
  D   Zope/hotfixes/version.txt

-=-
Deleted: Zope/hotfixes/README.txt
===================================================================
--- Zope/hotfixes/README.txt	2007-03-20 09:09:02 UTC (rev 73391)
+++ Zope/hotfixes/README.txt	2007-03-20 09:10:28 UTC (rev 73392)
@@ -1,62 +0,0 @@
-Hotfix-20070320 README
-
-    This hotfix corrects a cross-site scripting vulnerability in Zope2,
-    where an attacker can use a hidden GET request to leverage a 
-    authenticated user's credentials to alter security settings and/or
-    user accounts.
-
-    Note that this fix only protects against GET requests, any site that
-    allows endusers to create auto-submitting forms (through javascript)
-    will remain vulnerable.
-    
-    The hotfix may be removed after upgrading to a version of Zope2 more
-    recent than this hotfix.
-
-  Affected Versions
-
-    - Zope 2.8.0 - 2.8.8
-
-    - Zope 2.9.0 - 2.9.6
-
-    - Zope 2.10.0 - 2.10.2
-    
-    - Earlier versions of Zope 2 are affected as well, but no new
-      releases for older major Zope releases (Zope 2.7 and earlier) will
-      be made. This Hotfix may work for older versions, but this has not
-      been tested.
-    
-  Installing the Hotfix
-
-    This hotfix is installed as a standard Zope2 product.  The following
-    examples assume that your Zope instance is located at
-    '/var/zope/instance':  please adjust according to your actual
-    instance path.  Also note that hotfix products are *not* intended
-    for installation into the "software home" of your Zope.
-
-      1. Unpack the tarball / zipfile for the Hotfix into a temporary
-         location::
-
-          $ cd /tmp
-          $ tar xzf ~/Hotfix_20070320.tar.gz
-
-      2. Copy or move the product directory from the unpacked directory
-         to the 'Products' directory of your Zope instance::
-
-          $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/
-
-      3. Restart Zope::
-
-          $ /var/zope/instance/bin/zopectl restart
-
-  Uninstalling the Hotfix
-
-    After upgrading Zope to one of the fixed versions, you should remove
-    this hotfix product from your Zope instance.
-
-      1. Remove the product directory from your instance 'Products'::
-
-          $ rm -rf /var/zope/instance/Products/Hotfix_20070320/
-
-      2. Restart Zope::
-
-          $ /var/zope/instance/bin/zopectl restart

Deleted: Zope/hotfixes/__init__.py
===================================================================
--- Zope/hotfixes/__init__.py	2007-03-20 09:09:02 UTC (rev 73391)
+++ Zope/hotfixes/__init__.py	2007-03-20 09:10:28 UTC (rev 73392)
@@ -1,122 +0,0 @@
-#############################################################################
-#
-# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE
-#
-##############################################################################
-
-"""Hotfix_20070319
-
-Protect security methods against GET requests.
-
-"""
-
-import inspect
-from zExceptions import Forbidden
-from ZPublisher.HTTPRequest import HTTPRequest
-
-def _buildFacade(spec, docstring):
-    """Build a facade function, matching the decorated method in signature.
-    
-    Note that defaults are replaced by None, and _curried will reconstruct
-    these to preserve mutable defaults.
-    
-    """
-    args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
-    callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
-    return 'def _facade%s:\n    """%s"""\n    return _curried%s' % (
-        args, docstring, callargs)
-
-def postonly(callable):
-    """Only allow callable when request method is POST."""
-    spec = inspect.getargspec(callable)
-    args, defaults = spec[0], spec[3]
-    try:
-        r_index = args.index('REQUEST')
-    except ValueError:
-        raise ValueError('No REQUEST parameter in callable signature')
-    
-    arglen = len(args)
-    if defaults is not None:
-        defaults = zip(args[arglen - len(defaults):], defaults)
-        arglen -= len(defaults)
-            
-    def _curried(*args, **kw):
-        request = None
-        if len(args) > r_index:
-            request = args[r_index]
-            
-        if isinstance(request, HTTPRequest):
-            if request.get('REQUEST_METHOD', 'GET').upper() != 'POST':
-                raise Forbidden('Request must be POST')
-
-        # Reconstruct keyword arguments
-        if defaults is not None:
-            args, kwparams = args[:arglen], args[arglen:]
-            for positional, (key, default) in zip(kwparams, defaults):
-                if positional is None:
-                    kw[key] = default
-                else:
-                    kw[key] = positional
-                    
-        return callable(*args, **kw)
-    
-    facade_globs = dict(_curried=_curried)
-    exec _buildFacade(spec, callable.__doc__) in facade_globs
-    return facade_globs['_facade']
-
-# Add REQUEST to BasicUserFolder.userFolder* methods as well as protect them
-from AccessControl.User import BasicUserFolder
-
-_original_ufAddUser = BasicUserFolder.userFolderAddUser
-def ufAddUser(self, name, password, roles, domains, REQUEST=None, **kw):
-    return _original_ufAddUser(self, name, password, roles, domains, **kw)
-ufAddUser.__doc__ = _original_ufAddUser.__doc__
-BasicUserFolder.userFolderAddUser = postonly(ufAddUser)
-
-_original_ufEditUser = BasicUserFolder.userFolderEditUser
-def ufEditUser(self, name, password, roles, domains, REQUEST=None, **kw):
-    return _original_ufEditUser(self, name, password, roles, domains, **kw)
-ufEditUser.__doc__ = _original_ufEditUser.__doc__
-BasicUserFolder.userFolderEditUser = postonly(ufEditUser)
-
-_original_ufDelUsers = BasicUserFolder.userFolderDelUsers
-def ufDelUsers(self, names, REQUEST=None):
-    return _original_ufDelUsers(self, names)
-ufDelUsers.__doc__ = _original_ufDelUsers.__doc__
-BasicUserFolder.userFolderDelUsers = postonly(ufDelUsers)
-
-BasicUserFolder.manage_setUserFolderProperties = postonly(
-    BasicUserFolder.manage_setUserFolderProperties)
-BasicUserFolder._addUser = postonly(BasicUserFolder._addUser)
-BasicUserFolder._changeUser = postonly(BasicUserFolder._changeUser)
-BasicUserFolder._delUsers = postonly(BasicUserFolder._delUsers)
-
-from AccessControl.Owned import Owned
-Owned.manage_takeOwnership = postonly(Owned.manage_takeOwnership)
-Owned.manage_changeOwnershipType = postonly(Owned.manage_changeOwnershipType)
-
-from AccessControl.PermissionMapping import RoleManager as PMRM
-PMRM.manage_setPermissionMapping = postonly(PMRM.manage_setPermissionMapping)
-
-from AccessControl.Role import RoleManager as RMRM
-RMRM.manage_acquiredPermissions = postonly(RMRM.manage_acquiredPermissions)
-RMRM.manage_permission = postonly(RMRM.manage_permission)
-RMRM.manage_changePermissions = postonly(RMRM.manage_changePermissions)
-RMRM.manage_addLocalRoles = postonly(RMRM.manage_addLocalRoles)
-RMRM.manage_setLocalRoles = postonly(RMRM.manage_setLocalRoles)
-RMRM.manage_delLocalRoles = postonly(RMRM.manage_delLocalRoles)
-RMRM._addRole = postonly(RMRM._addRole)
-RMRM._delRoles = postonly(RMRM._delRoles)
-
-from OFS.DTMLMethod import DTMLMethod
-DTMLMethod.manage_proxy = postonly(DTMLMethod.manage_proxy)
-
-from Products.PythonScripts.PythonScript import PythonScript
-PythonScript.manage_proxy = postonly(PythonScript.manage_proxy)

Deleted: Zope/hotfixes/version.txt
===================================================================
--- Zope/hotfixes/version.txt	2007-03-20 09:09:02 UTC (rev 73391)
+++ Zope/hotfixes/version.txt	2007-03-20 09:10:28 UTC (rev 73392)
@@ -1 +0,0 @@
-Hotfix_20070320



More information about the Zope-Checkins mailing list