On Thu, Mar 5, 2009 at 1:48 PM, Daniel Fetchinson <[email protected]> wrote: > >> TurboGears beta 7 is a important security update for Beta 5 and Beta 6 >> users. Please update all production apps form b5 or b6 to beta 7 >> immediately. We're doing a Beta 7 rather than an RC1 because of the >> importance of this issue, and our desire to make absolutely sure that >> we've solidified all of this before doing a release candidate. >> Fortunately the upgrade from b6 should have no backwards incompatible >> changes, and should require no changes to your project >> >> B5 users should update to b6 and then b7. B6 users should be able to >> do a simple easy_install -U as described in the install instructions: >> >> (tg2env)$ easy_install -U -i >> http://www.turbogears.org/2.0/downloads/current/index tg.devtools >> >> (instructions:http://turbogears.org/2.0/docs/main/DownloadInstall.html ) >> >> The check for controller wide security was not working properly, and >> we discovered that not enforcing controller level security >> restrictions on subcontrollers.We take this very seriously even though >> it happened in a beta, and we are taking steps to assure that it won't >> happen again. It turns out that we moved some tests that would have >> prevented this into another package, and that left one small thing in >> TG which was no longer tested, and of course that's where our problem >> was. We've added several tests to make sure this can't happen again, >> and I've changed the way that we check controller authorization to be >> less fragile. >> >> In order to make sure that the rapid development of our security stuff >> has not created any other issues, and in order to review all existing >> authorization/authentication code we'll be holding a security sprint >> this weekend. We will be adding additional integration tests, and >> doing a full audit of all security related packages on Sunday. >> >> There was also another issue that kept the __before__ method used by >> our controller security system from running properly. Special thanks >> goes out to Alberto Valverde for contributing to fixes to both these >> critical issues. >> >> We've also added some more tests to the quickstart. In particular >> there are tests for the security system built right into the >> quickstarted project so users can easily see how to assure that their >> security measures are working the way they expect, and we have some >> additional helpers for testing authorization rules coming in the next >> release. > > > Is this by any chance related to the very similar tg1 problem > http://trac.turbogears.org/ticket/2207 ? Would the tg2 fix also fix > the tg1 problem? > maybe, as the repoze.what code was inspired by identity. As for fixing it not at all they are a totally different code base.
> Cheers, > Daniel > > > > -- > Psss, psss, put it down! - http://www.cafepress.com/putitdown > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
