Re: [Zope-dev] AccessControl bug fixed

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/23/2012 11:23 AM, li...@nidelven-it.no wrote:

> does this have any security implications?

The bug doesn't provide any obvious attack vector.  Applications which
used the doubly-unusual feature ('__roles__' being a class instance,
rather than a list or tuple, and in addition having a
'rolesForPermission' method) would have the last-used such class have its
'rolesForPermission' used instead of the normal 'global' one in
subsequent initial checks inside
'AccessControl.ZopeSecurityPolicy.get_roles'.


Tres.
- -- 
===
Tres Seaver  +1 540-429-0999  tsea...@palladion.com
Palladion Software   "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA2TZoACgkQ+gerLs4ltQ7vgACeJgsWIhIcxuWKQkqAHFGEzm3L
3vYAoMf+kVHsWMqmEHilIqAoxzLKQjIq
=mlGW
-END PGP SIGNATURE-

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] AccessControl bug fixed

[Hanno Schlichting]

On Thu, Aug 23, 2012 at 5:23 PM,   wrote:
> does this have any security implications?

In short: No.

Long answer: Not unless you have very custom code similar to what's in
the provided test (providing a custom rolesForPermissionOn callable on
a class). And that code would have never worked as intended or at
least it would have already been broken in Zope 2.12.

Hanno
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] AccessControl bug fixed

[lists]

Hi,

does this have any security implications?

> On Wed, Aug 22, 2012 at 3:00 PM, Yusei TAHARA  wrote:
>> I found a bug in ZopeSecurityPolicy and fixed it.
>>
>> http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548
>>
>> Is it possible to release new version?
>
> I can do that. But is there any chance you could write a test for
> this. Or at least tell us how you found this bug?
>
> Hanno
> ___
> Zope-Dev maillist  -  Zope-Dev@zope.org
> https://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope )
>


-- 
Nidelven IT || We know Python, Zope & Plone

http://www.nidelven-it.no/

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] AccessControl bug fixed

[Hanno Schlichting]

On Wed, Aug 22, 2012 at 3:00 PM, Yusei TAHARA  wrote:
> I found a bug in ZopeSecurityPolicy and fixed it.
>
> http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548
>
> Is it possible to release new version?

I can do that. But is there any chance you could write a test for
this. Or at least tell us how you found this bug?

Hanno
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] AccessControl bug fixed

[Martin Aspeli]

On 22 August 2012 18:30, Yusei TAHARA  wrote:

> Hello,
>
> I found a bug in ZopeSecurityPolicy and fixed it.
>
>
> http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548
>
> Is it possible to release new version?
>

Are we sure this wasn't done on purpose? At least it needs some review,
there's lots of weird caching and lazy loading of global variables in that
module. I *think* it's fine looking at the diff, but a second opinion would
be useful.

Martin
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] AccessControl bug fixed

[Yusei TAHARA]

Hello,

I found a bug in ZopeSecurityPolicy and fixed it.

http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548

Is it possible to release new version?

Regards,
-- 
Yusei TAHARA 
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )