il problema nasce solo se un fileField ha un read_permission più restrittivo di quello che vale sul contesto. ad esempio un contenuto pubblico, con un fileField disponibile solo ai reviewer.
bye Il giorno 07/nov/2012 11:32, "Yuri" <[email protected]> ha scritto: > Il 07/11/2012 11:29, Vito Falco ha scritto: > >> Per chiarimenti sulla questione del BLOB basta chiedere al Sauzher che >> l'ha "sgamato" :) >> > > C'è un pattern con cui fare grep nei log? Così vedo se qualcuno ha tentato > di farlo :-P > > >> Information for security researchers >> Impact Subscore: 4.9 >> Exploitability Subscore: 10 >> Overall CVSS Score: 5 >> Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P/E:**P/RL:O/RC:C) >> CWE: CWE-306 >> Credit: Alessandro SauZheR >> >> >> Vito >> >> 2012/11/7 Yuri <[email protected] <mailto:[email protected]>> >> >> >> http://plone.org/products/**plone/security/advisories/**20121106<http://plone.org/products/plone/security/advisories/20121106> >> >> qui ci sono tutti i problemi fissati dall'hotfix. Alcuni sono >> paranoici nei casi normali (quanti utenti reali non sicuri abbiamo >> che scrivono python script?), l'unico degno di nota, mi pare, è >> questo: >> >> >> http://plone.org/products/**plone/security/advisories/**20121106/17<http://plone.org/products/plone/security/advisories/20121106/17> >> >> BLOBs stored on custom content types can be accessed through a >> non-standard URL, bypassing the declared permission check >> >> Anonymous users can use a crafted URL to illegitimately download >> Files and Images. Thanks to Karl Johan Kleist who found that this >> had been incorrectly reported, and let the security team know. >> >> =============== >> >> Penso quindi che l'unico problema "vero" sia questo. Dal fix mi >> pare che il field sia accessibile tramite il suo metodo >> index_html. Quindi da url web in qualche modo si arriva al field e >> da lì il metodo permette di scaricare il file, indipendentemente >> dai permessi. >> >> Concordate? >> >> ______________________________**_________________ >> Plone-IT mailing list >> [email protected] >> <mailto:[email protected].**org<[email protected]> >> > >> >> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it> >> http://plone-regional-forums.**221720.n2.nabble.com/Plone-** >> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html> >> >> >> >> >> -- >> *Vito Falco* >> Webdeveloper & designer freelance, Plone enthusiast >> Bari, IT >> tel +39 3346330137 | skype vito80ba | twitter vito80ba >> Blog http://appuntiplone.wordpress.**com<http://appuntiplone.wordpress.com>< >> http://appuntiplone.**wordpress.com/ <http://appuntiplone.wordpress.com/> >> > >> >> >> >> ______________________________**_________________ >> Plone-IT mailing list >> [email protected] >> https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it> >> http://plone-regional-forums.**221720.n2.nabble.com/Plone-** >> Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html> >> > > ______________________________**_________________ > Plone-IT mailing list > [email protected] > https://lists.plone.org/**mailman/listinfo/plone-plone-**it<https://lists.plone.org/mailman/listinfo/plone-plone-it> > http://plone-regional-forums.**221720.n2.nabble.com/Plone-** > Italy-f221721.html<http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html> >
_______________________________________________ Plone-IT mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-plone-it http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html
