Security Bug -- To be fixed in Zope 2.7.5 (was: Re: [Zope] Re: Re: Re: Blocking Sibling inheritance)

Dieter Maurer dieter at handshake.de
Thu Mar 10 13:33:06 EST 2005


Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
> ...
>> It should not be necessary:
>> 
>>    A user should not be able to access any *protected* (!) object
>>    outside the subhierarchy governed by the user folder
>>    that authenticated the user.
>> 
>> But maybe, we have a bug (and "aq_inContextOf" does not work
>> as expected).
>
>Yes, this shouldn't be necessary, and it looks like it's a bug.
>
>Looks to me like the bug is in User.py's allowed method. Quite simply,
>when it checks for the Authenticated role, it doesn't call
>self._check_context,
>so never attempts to detect and foil acquisition
>tricks. Unless I'm missing something, it should be a quick and easy fix.

You are right!

-- 
Dieter


More information about the Zope mailing list