[Zope] Re: Security Bug -- To be fixed in Zope 2.7.5

Andreas Jung lists at andreas-jung.com
Wed Mar 16 08:25:37 EST 2005 

This will be in 2.7.5 final.

-aj

--On Mittwoch, 16. März 2005 7:40 Uhr -0500 Jay Zeemer <jzeemer at edcor.com> 
wrote:

> Not to be a nag, but is there a date when this fix will be available??
> Either in 2.7.5RC# or otherwise??  I admit I am not much of a Python
> programmer, as of yet, so most of what I am seeing is unfamiliar to me
> about where the fix is.
>
> Jay
>
> -----Original Message-----
> From: Tres Seaver [mailto:tseaver at zope.com]
> Sent: Thursday, March 10, 2005 3:27 PM
> To: zope at zope.org
> Cc: andreas.jung at haufe.de
> Subject: [Zope] Re: Security Bug -- To be fixed in Zope 2.7.5
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dieter Maurer wrote:
>| Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
>|
>|> ...
>|>
>|>> It should not be necessary:
>|>>
>|>>   A user should not be able to access any *protected* (!) object
>|>>   outside the subhierarchy governed by the user folder
>|>>   that authenticated the user.
>|>>
>|>> But maybe, we have a bug (and "aq_inContextOf" does not work
>|>> as expected).
>|>
>|> Yes, this shouldn't be necessary, and it looks like it's a bug.
>|>
>|> Looks to me like the bug is in User.py's allowed method. Quite simply,
>|> when it checks for the Authenticated role, it doesn't call
>|> self._check_context,
>|> so never attempts to detect and foil acquisition
>|> tricks. Unless I'm missing something, it should be a quick and easy fix.
>|
>|
>| You are right!
>
> Yep.  The only hard part will be writing a decent unit test which
> exercises the bug:
>
> - -------------------- 8< ------------------
> diff -u -r1.176.14.7 User.py
> - --- lib/python/AccessControl/User.py    25 Jan 2005 13:46:14 -0000
> 1.176.14.7
> +++ lib/python/AccessControl/User.py    10 Mar 2005 20:26:53 -0000
> @@ -182,7 +182,8 @@
> ~         # role and user is not nobody
> ~         if 'Authenticated' in object_roles and (
> ~             self.getUserName() != 'Anonymous User'):
> - -            return 1
> +            if self._check_context(object):
> +                return 1
>
> ~         # Check for ancient role data up front, convert if found.
> ~         # This should almost never happen, and should probably be
> - -------------------- 8< ------------------
>
> Tres.
> - --
> ===============================================================
> Tres Seaver                                tseaver at zope.com
> Zope Corporation      "Zope Dealers"       http://www.zope.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt
> ZgoCjc6pOE8AjdSy6a7CUj8=
> =RLrC
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20050316/9d1262ca/attachment.bin

More information about the Zope mailing list