Hello,
Plone recently released a security hotfix with a dozen of patches in it
[1].
With a quick glance at the source code of those fixes, it seemed several
of them directly patch Zope, not Plone-related products.
Is there any plan to make new releases of Zope 2.12 and Zope 2.13
Is there any plan to make new releases of Zope 2.12 and Zope 2.13
integrating the patches that are meaningful for pure-Zope (non-Plone)
applications ?
Plone doesn't always use the latest version of Zope. These are backports.
Matt
smime.p7s
Description: S/MIME Cryptographic
The Zope security response team is announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users. The hotfix for this vulnerability
was pre-announced last week.
This is a severe vulnerability that allows an unauthenticated attacker
This is an update on today's security hotfix release.
The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
(11:00am US EDT.) Updated versions of Zope 2 containing the security
fix will be released at the same time.
For details on which versions of Zope and Plone are affected,
(Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse:
This is an update on today's security hotfix release.
Thank you for the update, most helpful!
The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
(11:00am US EDT.) Updated versions of Zope 2
On behalf of the Plone and Zope Security Teams I'd like to draw your
attention to a security announcement that has just been published.
This is a pre-announcement only, it does not contain any vulnerability
details. Your sites are a safe today as they were yesterday. However,
as the problem that
Hi,
I have monkey-patched the QueueCatalog to adopt it to our needs, which
works fine. I now wanted to introduce a new feature:
The QueueCatalog should be bypassed during mass-import of data.
So I introduced a new variable _bypass, and new getBypassQueue() and
setBypassQueue methods in the
Joachim Schmitz wrote at 2007-9-19 11:54 +0200:
and
../portal_catalog/getBypassQueue
displays a 1
This looks like a security bug.
You should not be able to call something via the ZPublisher
what you cannot call in a script.
Maybe, you file a bug report?
--
Dieter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Overview
Zope Corporation has released a Zope hotfix product addressing a
potential vulnerability discovered during a recent security audit
of Zope 2.7 and 2.8.
Affected Versions
The hotfix affects versions 2.7.5 and earlier of Zope on the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Overview
Zope Corporation has released a Zope hotfix product addressing a
potential vulnerability discovered during a recent security audit
of Zope 2.7 and 2.8.
Affected Versions
The hotfix affects versions 2.7.5 and earlier of Zope on the
Hi there,
I have a little help class:
class NamesProxy:
__allow_access_to_unprotected_subobjects__=1
def __init__(self,names):
self.names=names
def __getitem__(self,item):
return self.names[item]
def __len__(self):
return len(self.names)
...which lets me
Herman Geldenhuys wrote:
I've written a Zope product that exposes a MenuItem. I add a menuItem
in a Zope folder, and I have no difficulty accessing and editing it via
the ZMI. I've written an xml-rpc-like protocol for Zope, that basically
validates the security manually.
What do you mean by
, January 30, 2004 10:48 AM
Subject: Re: [Zope-dev] Security validation issue
Herman Geldenhuys wrote:
I've written a Zope product that exposes a MenuItem. I add a menuItem
in a Zope folder, and I have no difficulty accessing and editing it via
the ZMI. I've written an xml-rpc-like protocol
I've written a Zope product that exposes a
"MenuItem". I add a menuItem in a Zope folder, and I have no difficulty
accessing and editingit via the ZMI. I've written an xml-rpc-like protocol
for Zope, that basically validates the security "manually".
This menuItem has an attribute called
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 13/01/2004, at 4:19 PM, Stuart Bishop wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:
As well as in other locations such
Toby Gustafson wrote at 2003-8-14 04:35 -0700:
...
I am having a problem accessing a function defined in a product I have
created and installed.
...
From that script I try to call the
function with the lines:
from Products.StoreEvent import StoreEvent
...
Hello,
I am having a problem accessing a function defined in a product I have
created and installed.
The product is called StoreEvent, and it was created using the
PloneMinimalInstall as a guide.
In the StoreEvent product is a file called StoreEvent, which contains a
function
Shane Hathaway [EMAIL PROTECTED] wrote:
Do you not want foo to have the Manager role?
Andre Schubert wrote:
No, because he is no longer in our company.
Shane Hathaway [EMAIL PROTECTED] wrote:
I think you're asking for a find + chown utility, right? I don't know
of one, but it sure would
Hi all,
i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:
Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission.
Access to 'foobar' of (Folder instance at 932b600)
On 02/18/2003 09:16 AM, Andre Schubert wrote:
I try to explain what happens. Lets say i have a user called foo who
has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
a folder called bar and foobar. foobar is called from inside bar
(dtml-call foobar). He also created a Role
Andre Schubert schrieb:
Hi all,
i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:
Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder
On Tue, 18 Feb 2003 12:01:45 -0500
Shane Hathaway [EMAIL PROTECTED] wrote:
On 02/18/2003 09:16 AM, Andre Schubert wrote:
I try to explain what happens. Lets say i have a user called foo who
has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
a folder called bar and foobar.
At Thu, 21 Nov 2002 12:16:09 +, Chris Withers wrote:
I'm trying to get stripogram working from Script(Pythons). I thought I had it,
but it appears I don't.
I added the following in the __init__.py of the stripogram package:
try:
from AccessControl import
Hi,
I'm trying to get stripogram working from Script(Pythons). I thought I had it,
but it appears I don't.
I added the following in the __init__.py of the stripogram package:
try:
from AccessControl import ModuleSecurityInfo,allow_module
except ImportError:
# no Zope around
raise
Hi,
I'd like to build a suite of security tests for a product I'm writing using
unittest.py.
Is this possible?
I thought about using newSecurityManager with various known users, and
restrictedTraverse to get to the appropriate methods, but then how do I test if
those methods are callable?
Chris!
You might want to take a look at my ZopeTestCase package. It supports Zope
security testing with users, roles, permissions and all.
http://www.zope.org/Members/shh/ZopeTestCase/
Also see the tests coming with the ReplaceSupport and DocFinderEverywhere
products. In essence
Andre Schubert writes:
If i have the permission to view the management screens i be able to add Zope
Permissions... is this a security bug or not ?
It probably is.
I have been really unable to read this from your previous report, sorry!
Dieter
On Wed, 8 May 2002 23:04:08 +0200
Dieter Maurer [EMAIL PROTECTED] wrote:
Andre Schubert writes:
could this be a bug in the security-machinery?
Lets say we have a role foo, this role has the permission to view the management
screens.
Lets say we have a user bar which has the role
Just a word to thank you for your reply.
But incidently, wouldn't it be a good idea for Globals.InitializeClass()
to throw an error
or a warning of some kind for hanging 'security.stuff()' declarations,
declarations which do not have a related ClassSecurityInfo object AT THE
CLASS LEVEL? To the
vio wrote:
Just a word to thank you for your reply.
But incidently, wouldn't it be a good idea for Globals.InitializeClass()
to throw an error
or a warning of some kind for hanging 'security.stuff()' declarations,
declarations which do not have a related ClassSecurityInfo object AT THE
* vio [EMAIL PROTECTED] [020119 09:56]:
vio wrote:
Just a word to thank you for your reply.
But incidently, wouldn't it be a good idea for Globals.InitializeClass()
to throw an error
or a warning of some kind for hanging 'security.stuff()' declarations,
declarations which do not have
vio wrote:
deletia
So Globals.InitializeClass(your_class) finds the declaration
'security.declareSomething()' inside a class, but 'security' being
a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has
no effect at the class level (while I wrongly thought that by
You are right, I struggled a lot to understand Zope's declarative security
model. And I am still learning, so practice makes better. I didn't read
Globals.InitializeClass() source, and I wrote my following comments out of the
blue. Developping an error-correcting system might still be a little
At 10:43 AM 1/19/02 -0500, vio wrote:
* vio [EMAIL PROTECTED] [020119 09:56]:
So Globals.InitializeClass(your_class) finds the declaration
'security.declareSomething()' inside a class, but 'security' being
a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has
no effect at the
* Phillip J. Eby [EMAIL PROTECTED] [020119 12:04]:
...
IMHO, you don't want to share a security object between more than one
class, since presumably they will have different declarations and thus each
require their own. So there's no reason to create a ClassSecurityInfo
object at the
Could someone have a look at the following 'Boring' class with the security
functionality added (as described in ZopeBook/6.Security and some other products).
Could 'security' machinery be broken in Zope-2.4.1 ? It surely doesn't seem to work as
adverised, on my machine at least (Debian Linux
On Saturday 24 November 2001 01:40, Andre Schubert wrote:
root/
index_html
foo/
acl_users/
bar/
Image
I have a image which could only be view by users with a role named
foobar, these users are in acl_users.
If i access the image through the web a must authenticate
Danny William Adair schrieb:
On Saturday 24 November 2001 01:40, Andre Schubert wrote:
root/
index_html
foo/
acl_users/
bar/
Image
I have a image which could only be view by users with a role named
foobar, these users are in acl_users.
If i access the
This doesn't work, because the user it not known in root where the
index_html is,
the user is known in the folder view.
Sorry.
I think I read your first email a little too fast.
This behavior is normal, and meant to strengthen Zope security.
You are not calling the Image object, index_html
Hi.
Looking at Amos ZPublisher howto,
http://www.zope.org/Members/Amos/ZPublisher
Would it be possible to use the security machinery too?
/Magnus
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No
Tim McLaughlin wrote:
root has a role called 'User' with 'View' permissions (anonymous is
disabled) and acl_users has a user called joe. joe can access objects in
folder2 according to the permissions set on the root by using acquisition
like this:
http://server/folder1/folder2/object1
joe
It seems to me that a User should not get to keep their roles in the
acquired objects which are above the User Folder in which the user is
defined... However, that does not seem to be true according my testing.
This is what happens. Imagine a tree like this
root-folder1-acl_users
Hello All,
Dieter Maurer uncovered a potential security issue yesterday that
necessitated a hotfix release.
This hotfix addresses an important security issue that affects Zope
versions up to and including Zope 2.3.2.
The issue is related to ZClasses in that any user can visit a
Andre Schubert wrote:
But is there a way to find out that the current REQUEST comes from joe
and joe has no user object in the root acl_users.
If you're doing this because you're worried that Joe won't later be able to view
the protected document, don't worry, Zope will handle that for you
Hi all,
I have a question on the security system of zope.
First i have a folder called foo in the root with acl_users and a doc
called foo_doc:
root/
bar_doc
foo/
acl_users/
joe
foo_doc
If Anonymous users could'nt view the foo_doc. This means only logged in
users
Andre Schubert writes:
... direct access to authentication credentials ...
You cannot ask Zope about the user identity because
it does not visit the authenticating user folder
in the described case.
If you use basic authentication (the Zope default), then
you can read "REQUEST._auth" to get
Hello all -
An issue has come to our attention (thanks to Randy Kern) that
necessitates a Zope hotfix. Hotfix products can be installed to
incorporate modifications to Zope at runtime without requiring
an immediate installation upgrade. Hotfix products are installed
just as you would
Hello All,
Casey Duncan uncovered a potential security issue today that
necessitated a hotfix release.
This hotfix addresses an important security issue that affects Zope
versions up to and including Zope 2.3.1 b1.
The issue is related to ZClasses in that a user with through-the-web
Hi folks,
It turns out that the released versions of the CookieCrumbler product have
a terrible security hole. I recommend you uninstall it immediately.
I'm not going to be able to deal with the problem fully today, but if
you're interested in getting a solution right away you can grab today's
Answering my own post ;-)
Security does work, and was being applied, it's just still very much
along 'allow by default'.
Chris Withers wrote:
This class has no __roles__, no __ac_permissions__, no nothing...
Instances of this class are stored within a special folderish class, Y.
Now the key
Hi there,
I'm slightly confused by a class I have:
class X(Persistent, Acquisition.Explicit):
This class has no __roles__, no __ac_permissions__, no nothing...
Instances of this class are stored within a special folderish class, Y.
This folderish class has a __bobo_traverse__ which returns X
Hi,
i have found the Security Permission below in the Zope Root that are not
definded by myself.
A
D
G
Z
a
d
h
r
s
t
Who can tell me where these Permissions come from?
as
___
Zope-Dev maillist - [EMAIL PROTECTED]
On Sun, Nov 12, 2000 at 11:42:32PM +0100, Dieter Maurer waxed eloquent:
I tried it on my ZopeCVS installation.
The Python parts are quite new. The C-part is about 2 weeks old.
I can not observe what you describe.
"/index_html" can be viewed as "Annonymous" without any
change in
I should have included this in my previous reply - this is the Zope
error I am getting after failing out of BASICAUTH login:
--
Zope Error
Zope has encountered an error while publishing this resource.
Unauthorized
I had posted about this previously, but no one has tackled this one,
it seems to be a pretty serious issue, plus I've done a *lot* of poking
around and learned a few things since I first reported it. What I have
*not* found (or been told) is that the below described behavior is normal.
First a
Toby Dickenson wrote:
Zope security is context based: Users can be defined in a subfolder and only
have access under that folder, they can also be given local roles for a
given folder. The role:permission mapping is set per-folder. Any security
aware object needs to know its context.
Yeah,
Toby Dickenson and Brian Lloyd wrote:
list.append(DisplayClass(name,self))
list.append(DisplayClass(name,self).__of__(self))
class DisplayClass(Globals.Persistent):
class DisplayClass(Globals.Persistent, Acquisition.Implicit):
Okay, this did the
If anyone can help me with this, it'd give me more faith in the new
security model :-S
Right, I have a Python Product Class (lots of bits left out ;-):
class MyProduct(OFS.SimpleItem.SimpleItem):
"""...
"""
__ac_permissions__=(
('Use MyProduct' ,
On Mon, 23 Oct 2000 15:59:24 +0100, Chris Withers [EMAIL PROTECTED]
wrote:
(untested hints to follow)
class MyProduct(OFS.SimpleItem.SimpleItem):
"""...
"""
__ac_permissions__=(
('Use MyProduct' ,('a_method',),('Manager',)),
)
Well, I just tried to post several paragraphs to the security interface
wiki, and netscape reported a proxy problem. It then ate my posting
instead of giving it back to me when I pressed back. So I'm going
to try to recreate what I wrote here and hope someone will post it
for me or something.
Well, what do you know? I leave it for a couple fo hours to set up a
laptop, come back and try again.
It's not hanging anymore, but I'm still getting the errors when I click
cancel:
Chris Withers wrote:
Posting's objects have a text attribute called 'subject'
Unless you have
Johan Carlsson wrote:
First, you can't delegate the permissionto add and delete user except
by assigning the user the role "manager".
IMHO this is to limiting.
Second, if you give a user the permission to Change Persmissions, that
user can change permissions that she doesn't have the right
Hi all,
I notised some strange behavior in the way Zope User Folders works.
First, you can't delegate the permissionto add and delete user except
by assigning the user the role "manager".
IMHO this is to limiting.
Second, if you give a user the permission to Change Persmissions, that
user can
63 matches
Mail list logo