[Zope] Re: Security Bug -- To be fixed in Zope 2.7.5

Greg Fischer retheoff at gmail.com
Tue Mar 15 11:44:29 EST 2005


Thank for that Tres!  It works great!

Greg


On Thu, 10 Mar 2005 15:26:41 -0500, Tres Seaver <tseaver at zope.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dieter Maurer wrote:
> | Malcolm Cleaton wrote at 2005-3-10 10:07 +0000:
> |
> |>...
> |>
> |>>It should not be necessary:
> |>>
> |>>   A user should not be able to access any *protected* (!) object
> |>>   outside the subhierarchy governed by the user folder
> |>>   that authenticated the user.
> |>>
> |>>But maybe, we have a bug (and "aq_inContextOf" does not work
> |>>as expected).
> |>
> |>Yes, this shouldn't be necessary, and it looks like it's a bug.
> |>
> |>Looks to me like the bug is in User.py's allowed method. Quite simply,
> |>when it checks for the Authenticated role, it doesn't call
> |>self._check_context,
> |>so never attempts to detect and foil acquisition
> |>tricks. Unless I'm missing something, it should be a quick and easy fix.
> |
> |
> | You are right!
> 
> Yep.  The only hard part will be writing a decent unit test which
> exercises the bug:
> 
> - -------------------- 8< ------------------
> diff -u -r1.176.14.7 User.py
> - --- lib/python/AccessControl/User.py    25 Jan 2005 13:46:14 -0000
> 1.176.14.7
> +++ lib/python/AccessControl/User.py    10 Mar 2005 20:26:53 -0000
> @@ -182,7 +182,8 @@
> ~         # role and user is not nobody
> ~         if 'Authenticated' in object_roles and (
> ~             self.getUserName() != 'Anonymous User'):
> - -            return 1
> +            if self._check_context(object):
> +                return 1
> 
> ~         # Check for ancient role data up front, convert if found.
> ~         # This should almost never happen, and should probably be
> - -------------------- 8< ------------------
> 
> Tres.
> - --
> ===============================================================
> Tres Seaver                                tseaver at zope.com
> Zope Corporation      "Zope Dealers"       http://www.zope.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCMK2AGqWXf00rNCgRAux+AJ0Zas9R/lUMc+Oot05jl5TNbunQLACeKBlt
> ZgoCjc6pOE8AjdSy6a7CUj8=
> =RLrC
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> 


-- 
Greg Fischer
1st Byte Solutions
http://www.1stbyte.com


More information about the Zope mailing list