Log message for revision 73392: Undo botched import Changed: D Zope/hotfixes/README.txt D Zope/hotfixes/__init__.py D Zope/hotfixes/tests/ D Zope/hotfixes/version.txt
-=- Deleted: Zope/hotfixes/README.txt =================================================================== --- Zope/hotfixes/README.txt 2007-03-20 09:09:02 UTC (rev 73391) +++ Zope/hotfixes/README.txt 2007-03-20 09:10:28 UTC (rev 73392) @@ -1,62 +0,0 @@ -Hotfix-20070320 README - - This hotfix corrects a cross-site scripting vulnerability in Zope2, - where an attacker can use a hidden GET request to leverage a - authenticated user's credentials to alter security settings and/or - user accounts. - - Note that this fix only protects against GET requests, any site that - allows endusers to create auto-submitting forms (through javascript) - will remain vulnerable. - - The hotfix may be removed after upgrading to a version of Zope2 more - recent than this hotfix. - - Affected Versions - - - Zope 2.8.0 - 2.8.8 - - - Zope 2.9.0 - 2.9.6 - - - Zope 2.10.0 - 2.10.2 - - - Earlier versions of Zope 2 are affected as well, but no new - releases for older major Zope releases (Zope 2.7 and earlier) will - be made. This Hotfix may work for older versions, but this has not - been tested. - - Installing the Hotfix - - This hotfix is installed as a standard Zope2 product. The following - examples assume that your Zope instance is located at - '/var/zope/instance': please adjust according to your actual - instance path. Also note that hotfix products are *not* intended - for installation into the "software home" of your Zope. - - 1. Unpack the tarball / zipfile for the Hotfix into a temporary - location:: - - $ cd /tmp - $ tar xzf ~/Hotfix_20070320.tar.gz - - 2. Copy or move the product directory from the unpacked directory - to the 'Products' directory of your Zope instance:: - - $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/ - - 3. Restart Zope:: - - $ /var/zope/instance/bin/zopectl restart - - Uninstalling the Hotfix - - After upgrading Zope to one of the fixed versions, you should remove - this hotfix product from your Zope instance. - - 1. Remove the product directory from your instance 'Products':: - - $ rm -rf /var/zope/instance/Products/Hotfix_20070320/ - - 2. Restart Zope:: - - $ /var/zope/instance/bin/zopectl restart Deleted: Zope/hotfixes/__init__.py =================================================================== --- Zope/hotfixes/__init__.py 2007-03-20 09:09:02 UTC (rev 73391) +++ Zope/hotfixes/__init__.py 2007-03-20 09:10:28 UTC (rev 73392) @@ -1,122 +0,0 @@ -############################################################################# -# -# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved. -# -# This software is subject to the provisions of the Zope Public License, -# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution. -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED -# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS -# FOR A PARTICULAR PURPOSE -# -############################################################################## - -"""Hotfix_20070319 - -Protect security methods against GET requests. - -""" - -import inspect -from zExceptions import Forbidden -from ZPublisher.HTTPRequest import HTTPRequest - -def _buildFacade(spec, docstring): - """Build a facade function, matching the decorated method in signature. - - Note that defaults are replaced by None, and _curried will reconstruct - these to preserve mutable defaults. - - """ - args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec) - callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec) - return 'def _facade%s:\n """%s"""\n return _curried%s' % ( - args, docstring, callargs) - -def postonly(callable): - """Only allow callable when request method is POST.""" - spec = inspect.getargspec(callable) - args, defaults = spec[0], spec[3] - try: - r_index = args.index('REQUEST') - except ValueError: - raise ValueError('No REQUEST parameter in callable signature') - - arglen = len(args) - if defaults is not None: - defaults = zip(args[arglen - len(defaults):], defaults) - arglen -= len(defaults) - - def _curried(*args, **kw): - request = None - if len(args) > r_index: - request = args[r_index] - - if isinstance(request, HTTPRequest): - if request.get('REQUEST_METHOD', 'GET').upper() != 'POST': - raise Forbidden('Request must be POST') - - # Reconstruct keyword arguments - if defaults is not None: - args, kwparams = args[:arglen], args[arglen:] - for positional, (key, default) in zip(kwparams, defaults): - if positional is None: - kw[key] = default - else: - kw[key] = positional - - return callable(*args, **kw) - - facade_globs = dict(_curried=_curried) - exec _buildFacade(spec, callable.__doc__) in facade_globs - return facade_globs['_facade'] - -# Add REQUEST to BasicUserFolder.userFolder* methods as well as protect them -from AccessControl.User import BasicUserFolder - -_original_ufAddUser = BasicUserFolder.userFolderAddUser -def ufAddUser(self, name, password, roles, domains, REQUEST=None, **kw): - return _original_ufAddUser(self, name, password, roles, domains, **kw) -ufAddUser.__doc__ = _original_ufAddUser.__doc__ -BasicUserFolder.userFolderAddUser = postonly(ufAddUser) - -_original_ufEditUser = BasicUserFolder.userFolderEditUser -def ufEditUser(self, name, password, roles, domains, REQUEST=None, **kw): - return _original_ufEditUser(self, name, password, roles, domains, **kw) -ufEditUser.__doc__ = _original_ufEditUser.__doc__ -BasicUserFolder.userFolderEditUser = postonly(ufEditUser) - -_original_ufDelUsers = BasicUserFolder.userFolderDelUsers -def ufDelUsers(self, names, REQUEST=None): - return _original_ufDelUsers(self, names) -ufDelUsers.__doc__ = _original_ufDelUsers.__doc__ -BasicUserFolder.userFolderDelUsers = postonly(ufDelUsers) - -BasicUserFolder.manage_setUserFolderProperties = postonly( - BasicUserFolder.manage_setUserFolderProperties) -BasicUserFolder._addUser = postonly(BasicUserFolder._addUser) -BasicUserFolder._changeUser = postonly(BasicUserFolder._changeUser) -BasicUserFolder._delUsers = postonly(BasicUserFolder._delUsers) - -from AccessControl.Owned import Owned -Owned.manage_takeOwnership = postonly(Owned.manage_takeOwnership) -Owned.manage_changeOwnershipType = postonly(Owned.manage_changeOwnershipType) - -from AccessControl.PermissionMapping import RoleManager as PMRM -PMRM.manage_setPermissionMapping = postonly(PMRM.manage_setPermissionMapping) - -from AccessControl.Role import RoleManager as RMRM -RMRM.manage_acquiredPermissions = postonly(RMRM.manage_acquiredPermissions) -RMRM.manage_permission = postonly(RMRM.manage_permission) -RMRM.manage_changePermissions = postonly(RMRM.manage_changePermissions) -RMRM.manage_addLocalRoles = postonly(RMRM.manage_addLocalRoles) -RMRM.manage_setLocalRoles = postonly(RMRM.manage_setLocalRoles) -RMRM.manage_delLocalRoles = postonly(RMRM.manage_delLocalRoles) -RMRM._addRole = postonly(RMRM._addRole) -RMRM._delRoles = postonly(RMRM._delRoles) - -from OFS.DTMLMethod import DTMLMethod -DTMLMethod.manage_proxy = postonly(DTMLMethod.manage_proxy) - -from Products.PythonScripts.PythonScript import PythonScript -PythonScript.manage_proxy = postonly(PythonScript.manage_proxy) Deleted: Zope/hotfixes/version.txt =================================================================== --- Zope/hotfixes/version.txt 2007-03-20 09:09:02 UTC (rev 73391) +++ Zope/hotfixes/version.txt 2007-03-20 09:10:28 UTC (rev 73392) @@ -1 +0,0 @@ -Hotfix_20070320 _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins