[Zope] Re: Security Bug -- To be fixed in Zope 2.7.5

Jay Zeemer jzeemer at edcor.com
Wed Mar 16 07:40:59 EST 2005


Not to be a nag, but is there a date when this fix will be available??
Either in 2.7.5RC# or otherwise??  I admit I am not much of a Python
programmer, as of yet, so most of what I am seeing is unfamiliar to me about
where the fix is.

Jay

-----Original Message-----
From: Tres Seaver [mailto:tseaver at zope.com]
Sent: Thursday, March 10, 2005 3:27 PM
To: zope at zope.org
Cc: andreas.jung at haufe.de
Subject: [Zope] Re: Security Bug -- To be fixed in Zope 2.7.5


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dieter Maurer wrote:
| Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
|
|>...
|>
|>>It should not be necessary:
|>>
|>>   A user should not be able to access any *protected* (!) object
|>>   outside the subhierarchy governed by the user folder
|>>   that authenticated the user.
|>>
|>>But maybe, we have a bug (and "aq_inContextOf" does not work
|>>as expected).
|>
|>Yes, this shouldn't be necessary, and it looks like it's a bug.
|>
|>Looks to me like the bug is in User.py's allowed method. Quite simply,
|>when it checks for the Authenticated role, it doesn't call
|>self._check_context,
|>so never attempts to detect and foil acquisition
|>tricks. Unless I'm missing something, it should be a quick and easy fix.
|
|
| You are right!

Yep.  The only hard part will be writing a decent unit test which
exercises the bug:

- -------------------- 8< ------------------
diff -u -r1.176.14.7 User.py
- --- lib/python/AccessControl/User.py    25 Jan 2005 13:46:14 -0000
1.176.14.7
+++ lib/python/AccessControl/User.py    10 Mar 2005 20:26:53 -0000
@@ -182,7 +182,8 @@
~         # role and user is not nobody
~         if 'Authenticated' in object_roles and (
~             self.getUserName() != 'Anonymous User'):
- -            return 1
+            if self._check_context(object):
+                return 1

~         # Check for ancient role data up front, convert if found.
~         # This should almost never happen, and should probably be
- -------------------- 8< ------------------

Tres.
- --
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt
ZgoCjc6pOE8AjdSy6a7CUj8=
=RLrC
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist  -  Zope at zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


More information about the Zope mailing list