[Zope-Annce] Hotfix_2000-10-02

Shane Hathaway shane@digicool.com
Mon, 02 Oct 2000 13:58:41 -0400


  This hotfix addresses an important security issue that affects
  Zope versions 2.2.0, 2.2.1, and 2.2.2.

  It is sometimes possible to access, through a URL only, objects
  protected by a role which the user has in some context, but not
  in the context of the accessed object.

  Currently, the validate() method of all known user folder
  implementations validates against the users' roles in the context
  of PARENTS[0].  PARENTS[0] refers to the acquisition context of the
  object being published.  All security checks, however, should check
  an object's containment, not its acquisition context.

  validate(), therefore, needs to verify the user's roles in the
  context of the object being published.  This hotfix forces that to
  occur by temporarily leaving the object at PARENTS[0] then
  removing it after validation has been performed.

  Unfortunately, this is not an ideal correction.  In the near future
  all user folder validate() implementations need to perform security
  checks using the new Zope security policy subsystem.  Until that is
completed, this
  hotfix should close the security problem.

  While we know of no instances of this issue being used to exploit a 
  site, we recommend that any Zope 2.2.x site that is accessible by 
  untrusted clients have this hotfix product installed to mitigate the 

  The hotfix will work for all versions of Zope 2.2.0 and higher. A 
  future version of Zope will contain the fix for this 
  issue, and you will be able to uninstall the hot fix after upgrading.