-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/23/2012 11:23 AM, li...@nidelven-it.no wrote:
> does this have any security implications? The bug doesn't provide any obvious attack vector. Applications which used the doubly-unusual feature ('__roles__' being a class instance, rather than a list or tuple, and in addition having a 'rolesForPermission' method) would have the last-used such class have its 'rolesForPermission' used instead of the normal 'global' one in subsequent initial checks inside 'AccessControl.ZopeSecurityPolicy.get_roles'. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA2TZoACgkQ+gerLs4ltQ7vgACeJgsWIhIcxuWKQkqAHFGEzm3L 3vYAoMf+kVHsWMqmEHilIqAoxzLKQjIq =mlGW -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )