[CMF-checkins] CVS: CMF/CMFHotfix_20031026 - README.txt:1.1 __init__.py:1.1 version.txt:1.1

Tres Seaver cvs-admin at zope.org
Mon Oct 27 14:44:58 EST 2003

Update of /cvs-repository/CMF/CMFHotfix_20031026
In directory cvs.zope.org:/tmp/cvs-serv6501/CMFHotfix_20031026

Added Files:
	README.txt __init__.py version.txt 
Log Message:
 - Check in hotfix product.

=== Added File CMF/CMFHotfix_20031026/README.txt ===
CMF Hotfix Release, 2003/10/26


    This hotfix product addresses two issues with the Zope Content
    Management Framework (CMF):
     - It changes the permission assigned to the 'searchMembers'
       method of the 'portal_membership' tool.  This method exposes user
       IDs and other information about site members, and could be used by a 
       sufficiently clever cracker to mount an attack on the site.

     - It patches the 'registeredNotify' method of the 'portal_registration'
       tool, removing the possibility that an attacker might inject a
       hostile e-mail address into the mail which it generates.
    Zope Corporation recommends that all CMF-based sites upgrade to a version
    (see below) which contains the fix for this issue.  Sites which for some
    reason cannot upgrade may instead install this hotfix product.

  Affected Versions

    Users of CMF version 1.4.1 are potentially affected by this issue,
    as are users of version 1.3.2 and earlier.  Versions 1.3.3 and 1.4.2
    will contain this fix, and therefore will not require this hotfix.

  Obtaining the Hotfix

    The hotfix is available in two formats:

    - As a "Unix tarball",

    - As a "Windows zipfile",

  Installing the Hotfix

    1. Unpack the tarball into a working directory, and then move or link
       the 'CMFHotfix_20031026' directory into the Products directory of
       your '$INSTANCE_HOME' (next to 'CMFCore', 'CMFDefault', etc.).
    2. Restart Zope.
    E.g., assuming that you have Zope installed in '/usr/lib/Zope-2.6.1'
    (the '$SOFTWARE_HOME'), and that your instance data is in
    '/var/zope/instance' (the '$INSTANCE_HOME')::

      $ cd /var/zope/instance/Products
      $ tar xzf /tmp/CMFHotfix_20031026.tar.gz
      $ cd /var/zope/instance
      $ kill -HUP `cat var/Z2.pid`

    Windows users should unzip the ZIP file and move the extracted
    'CMFHotfix_20031026' folder to their Zope's 'Products' folder.
  Uninstalling the Hotfix
    You may remove the 'CMFHotfix_20031026' product directory after upgrading
    to one of the updated versions of CMF (1.3.3, 1.4.2, or later).  E.g.::

      $ cd /var/zope/instance/Products
      $ rm -r CMFHotfix_20031026

=== Added File CMF/CMFHotfix_20031026/__init__.py ===
""" CMFHotfix_20031026 product.

Please see the README.txt for affected versions, installation, etc.

$Id: __init__.py,v 1.1 2003/10/27 19:44:57 tseaver Exp $
from zLOG import LOG, INFO
from AccessControl.PermissionRole import PermissionRole

from Products.CMFCore.CMFCorePermissions import View, ListPortalMembers
from Products.CMFCore.MembershipTool import MembershipTool as MTool
from Products.CMFCore.utils import getToolByName

from Products.CMFDefault.RegistrationTool import RegistrationTool as RTool

def _update_MembershipTool_searchMembers_permission():

    """ Repair Collector #189 by careful surgery on the class dictionary
        of MembershipTool.

    new_permissions = []
    for k, v in MTool.__ac_permissions__:

        if k == View:
            new_v = [ x for x in v if x != 'searchMembers' ]
            v = tuple( new_v )

        new_permissions.append( ( k, v ) )

    new_permissions.append( ( ListPortalMembers, ( 'searchMembers', ) ) )

    MTool.__ac_permissions__ = tuple( new_permissions )
    MTool.searchMembers__roles__ = PermissionRole( ListPortalMembers
                                                 , ( 'Manager', )

    LOG( "CMFHotfix_20031026", INFO
       , "Updated permission on "
         + "CMFCore.MembershipTool.MembershipTool.searchMembers"
         + " from 'View' to 'List portal members'"

def _safer_registeredNotify( self, new_member_id ):

    """ Handle mailing the registration / welcome message.
    membership = getToolByName( self, 'portal_membership' )
    member = membership.getMemberById( new_member_id )

    if member is None:
        raise 'NotFound', 'The username you entered could not be found.'

    password = member.getPassword()

    email = member.getProperty( 'email' )

    if email is None:
        raise ValueError( 'No email address is registered for member: %s'
                        % new_member_id )

    # Rather than have the template try to use the mailhost, we will
    # render the message ourselves and send it from here (where we
    # don't need to worry about 'UseMailHost' permissions).
    mail_text = self.registered_notify_template( self
                                               , self.REQUEST
                                               , member=member
                                               , password=password
                                               , email=email
    host = self.MailHost
    host.send( mail_text )

    return self.mail_password_response( self, self.REQUEST )

def _monkeyPatch_RegistrationTool_registerNotify():

    """ Don't allow the user to smuggle in an email address via the request.
    RTool.registeredNotify = _safer_registeredNotify

    LOG( "CMFHotfix_20031026", INFO
       , "Monkey patched "
         + "CMFDefault.RegistrationTool.RegistrationTool.registerdNotify"
         + " to prevent email forgery"

def initialize( context ):



=== Added File CMF/CMFHotfix_20031026/version.txt ===

More information about the CMF-checkins mailing list