[Zodb-checkins] SVN: ZODB/trunk/s Bugs Fixed

Jim Fulton jim at zope.com
Tue Sep 1 06:20:28 EDT 2009 

Log message for revision 103429:
  Bugs Fixed
  
  - CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
    blobs are available. Someone with write access to a ZEO server
    configured to support blobs could read any file on the system
    readable by the server process and remove any file removable by the
    server process.
  

Changed:
  U   ZODB/trunk/setup.py
  U   ZODB/trunk/src/CHANGES.txt
  U   ZODB/trunk/src/ZEO/StorageServer.py

-=-
Modified: ZODB/trunk/setup.py
===================================================================
--- ZODB/trunk/setup.py	2009-09-01 10:18:57 UTC (rev 103428)
+++ ZODB/trunk/setup.py	2009-09-01 10:20:28 UTC (rev 103429)
@@ -20,7 +20,7 @@
 interface, rich transaction support, and undo.
 """
 
-VERSION = "3.9.0dev"
+VERSION = "3.9.0c2"
 
 from ez_setup import use_setuptools
 use_setuptools()

Modified: ZODB/trunk/src/CHANGES.txt
===================================================================
--- ZODB/trunk/src/CHANGES.txt	2009-09-01 10:18:57 UTC (rev 103428)
+++ ZODB/trunk/src/CHANGES.txt	2009-09-01 10:20:28 UTC (rev 103429)
@@ -2,12 +2,18 @@
  Change History
 ================
 
-3.9.0c2 (2009-08-??)
+3.9.0c2 (2009-09-01)
 ====================
 
 Bugs Fixed
 ----------
 
+- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
+  blobs are available. Someone with write access to a ZEO server
+  configured to support blobs could read any file on the system
+  readable by the server process and remove any file removable by the
+  server process.
+
 - BTrees (and TreeSets) kept references to internal keys.
   https://bugs.launchpad.net/zope3/+bug/294788
 

Modified: ZODB/trunk/src/ZEO/StorageServer.py
===================================================================
--- ZODB/trunk/src/ZEO/StorageServer.py	2009-09-01 10:18:57 UTC (rev 103428)
+++ ZODB/trunk/src/ZEO/StorageServer.py	2009-09-01 10:20:28 UTC (rev 103429)
@@ -28,7 +28,6 @@
 import tempfile
 import threading
 import time
-import warnings
 import itertools
 
 import transaction
@@ -609,6 +608,17 @@
 
     def storeBlobShared(self, oid, serial, data, filename, id):
         # Reconstruct the full path from the filename in the OID directory
+
+        if (os.path.sep in filename
+            or not (filename.endswith('.tmp')
+                    or filename[:-1].endswith('.tmp')
+                    )
+            ):
+            logger.critical(
+                "We're under attack! (bad filename to storeBlobShared, %r)",
+                filename)
+            raise ValueError(filename)
+
         filename = os.path.join(self.storage.fshelper.getPathForOID(oid),
                                 filename)
         self.blob_log.append((oid, serial, data, filename))

More information about the Zodb-checkins mailing list