Re: [Zope-dev] AccessControl bug fixed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/23/2012 11:23 AM, li...@nidelven-it.no wrote: > does this have any security implications? The bug doesn't provide any obvious attack vector. Applications which used the doubly-unusual feature ('__roles__' being a class instance, rather than a list or tuple, and in addition having a 'rolesForPermission' method) would have the last-used such class have its 'rolesForPermission' used instead of the normal 'global' one in subsequent initial checks inside 'AccessControl.ZopeSecurityPolicy.get_roles'. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA2TZoACgkQ+gerLs4ltQ7vgACeJgsWIhIcxuWKQkqAHFGEzm3L 3vYAoMf+kVHsWMqmEHilIqAoxzLKQjIq =mlGW -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] AccessControl bug fixed
On Thu, Aug 23, 2012 at 5:23 PM, wrote: > does this have any security implications? In short: No. Long answer: Not unless you have very custom code similar to what's in the provided test (providing a custom rolesForPermissionOn callable on a class). And that code would have never worked as intended or at least it would have already been broken in Zope 2.12. Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] AccessControl bug fixed
Hi, does this have any security implications? > On Wed, Aug 22, 2012 at 3:00 PM, Yusei TAHARA wrote: >> I found a bug in ZopeSecurityPolicy and fixed it. >> >> http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548 >> >> Is it possible to release new version? > > I can do that. But is there any chance you could write a test for > this. Or at least tell us how you found this bug? > > Hanno > ___ > Zope-Dev maillist - Zope-Dev@zope.org > https://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope ) > -- Nidelven IT || We know Python, Zope & Plone http://www.nidelven-it.no/ ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] AccessControl bug fixed
On Wed, Aug 22, 2012 at 3:00 PM, Yusei TAHARA wrote: > I found a bug in ZopeSecurityPolicy and fixed it. > > http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548 > > Is it possible to release new version? I can do that. But is there any chance you could write a test for this. Or at least tell us how you found this bug? Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] AccessControl bug fixed
On 22 August 2012 18:30, Yusei TAHARA wrote: > Hello, > > I found a bug in ZopeSecurityPolicy and fixed it. > > > http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548 > > Is it possible to release new version? > Are we sure this wasn't done on purpose? At least it needs some review, there's lots of weird caching and lazy loading of global variables in that module. I *think* it's fine looking at the diff, but a second opinion would be useful. Martin ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] AccessControl bug fixed
Hello, I found a bug in ZopeSecurityPolicy and fixed it. http://svn.zope.org/AccessControl/trunk/src/AccessControl/ZopeSecurityPolicy.py?rev=127548&r1=113657&r2=127548 Is it possible to release new version? Regards, -- Yusei TAHARA ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )