Commit 86a2eab6 authored by Jim Fulton's avatar Jim Fulton

Bugs Fixed

- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
  blobs are available. Someone with write access to a ZEO server
  configured to support blobs could read any file on the system
  readable by the server process and remove any file removable by the
  server process.
parent 0b22c9f8
...@@ -20,7 +20,7 @@ to application logic. ZODB includes features such as a plugable storage ...@@ -20,7 +20,7 @@ to application logic. ZODB includes features such as a plugable storage
interface, rich transaction support, and undo. interface, rich transaction support, and undo.
""" """
VERSION = "3.9.0dev" VERSION = "3.9.0c2"
from ez_setup import use_setuptools from ez_setup import use_setuptools
use_setuptools() use_setuptools()
......
...@@ -2,12 +2,18 @@ ...@@ -2,12 +2,18 @@
Change History Change History
================ ================
3.9.0c2 (2009-08-??) 3.9.0c2 (2009-09-01)
==================== ====================
Bugs Fixed Bugs Fixed
---------- ----------
- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
blobs are available. Someone with write access to a ZEO server
configured to support blobs could read any file on the system
readable by the server process and remove any file removable by the
server process.
- BTrees (and TreeSets) kept references to internal keys. - BTrees (and TreeSets) kept references to internal keys.
https://bugs.launchpad.net/zope3/+bug/294788 https://bugs.launchpad.net/zope3/+bug/294788
......
...@@ -28,7 +28,6 @@ import sys ...@@ -28,7 +28,6 @@ import sys
import tempfile import tempfile
import threading import threading
import time import time
import warnings
import itertools import itertools
import transaction import transaction
...@@ -609,6 +608,17 @@ class ZEOStorage: ...@@ -609,6 +608,17 @@ class ZEOStorage:
def storeBlobShared(self, oid, serial, data, filename, id): def storeBlobShared(self, oid, serial, data, filename, id):
# Reconstruct the full path from the filename in the OID directory # Reconstruct the full path from the filename in the OID directory
if (os.path.sep in filename
or not (filename.endswith('.tmp')
or filename[:-1].endswith('.tmp')
)
):
logger.critical(
"We're under attack! (bad filename to storeBlobShared, %r)",
filename)
raise ValueError(filename)
filename = os.path.join(self.storage.fshelper.getPathForOID(oid), filename = os.path.join(self.storage.fshelper.getPathForOID(oid),
filename) filename)
self.blob_log.append((oid, serial, data, filename)) self.blob_log.append((oid, serial, data, filename))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment