Commit 2f83ab14 authored by Christophe Dumez's avatar Christophe Dumez

- Fixed security hole in ERP5Subversion that allowed users to delete files...

- Fixed security hole in ERP5Subversion that allowed users to delete files owned by zope (like Data.fs)


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@9505 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 71aed7ea
...@@ -139,6 +139,8 @@ class SubversionConflictError(Exception): ...@@ -139,6 +139,8 @@ class SubversionConflictError(Exception):
""" """
pass pass
class SubversionSecurityError(Exception): pass
class SubversionBusinessTemplateNotInstalled(Exception): class SubversionBusinessTemplateNotInstalled(Exception):
""" Exception called when the business template is not installed """ Exception called when the business template is not installed
""" """
...@@ -1053,9 +1055,12 @@ class SubversionTool(BaseTool, UniqueObject, Folder): ...@@ -1053,9 +1055,12 @@ class SubversionTool(BaseTool, UniqueObject, Folder):
return conflicted_list return conflicted_list
security.declareProtected('Import/Export objects', 'removeAllInList') security.declareProtected('Import/Export objects', 'removeAllInList')
def removeAllInList(self, path_list): def removeAllInList(self, path_list, REQUEST=None):
"""Remove all files and folders in list """Remove all files and folders in list
""" """
if REQUEST is not None:
# Security hole fix
raise SubversionSecurityError, 'You are not allowed to delete these files'
for file_path in path_list: for file_path in path_list:
removeAll(self._getWorkingPath(file_path)) removeAll(self._getWorkingPath(file_path))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment