[zope2-tracker] [Bug 1079238] [NEW] App.Undo.UndoSupport.get_request_var_or_attr exposes attributes

Tres Seaver tseaver at palladion.com
Thu Nov 15 15:12:58 UTC 2012


*** This bug is a security vulnerability ***

Public security bug reported:

Historical bug:  prior to r123753 (2.12 branch) and forward-ports, the
'get_request_far_or_attr' helper function of App.Undo.UndoSupport
could be abused to gain access to protected attributes of the context.

Fix released 2011-12-12 with 2.12.21 and 2.13.11

** Affects: zope2
     Importance: Undecided
         Status: Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-5489

-- 
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/1079238

Title:
  App.Undo.UndoSupport.get_request_var_or_attr exposes attributes

To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/1079238/+subscriptions


More information about the zope2-tracker mailing list