File contents
Hotfix_2000-10-02
This is a "hotfix" product. Hotfix products can be installed to
incorporate modifications to Zope at runtime without requiring
an immediate installation upgrade. Hotfix products are installed
just as you would install any other Zope product.
This hotfix addresses an important security issue that affects
Zope versions 2.2.0, 2.2.1, and 2.2.2.
It is sometimes possible to access, through a URL only, objects
protected by a role which the user has in some context, but not
in the context of the accessed object.
Currently, the validate() method of all known user folder
implementations validates against the users' roles in the context
of PARENTS[0]. PARENTS[0] refers to the acquisition context of the
object being published. All security checks, however, should check
an object's containment, not its acquisition context.
validate(), therefore, needs to verify the user's roles in the
context of the object being published. This hotfix forces that to
occur by temporarily leaving the object at PARENTS[0] then
removing it after validation has been performed.
Unfortunately, this is not an ideal correction. In the near future
all user folder validate() implementations need to perform security
checks using a modified mechanism. Until that is completed, this
hotfix should close the security problem.
While we know of no instances of this issue being used to exploit a
site, we recommend that any Zope 2.2.x site that is accessible by
untrusted clients have this hotfix product installed to mitigate the
issue.
Log in
Forgot your password?
