- Merge a number of entangled issues from 2.6 / 2.7 audit: Iteration over sequences could in some cases fail to check access to an object obtained from the sequence. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. List and dictionary instance methods such as the get method of dictionary objects were not security aware and could return an object without checking access to that object. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Use of "import as" in Python scripts could potentially rebind names in ways that could be used to avoid appropriate security checks. A number of newer built-ins were either unavailable in untrusted code or did not perform adequate security checking. Unpacking via function calls, variable assignment, exception variables and other contexts did not perform adequate security checks, potentially allowing access to objects that should have been protected. Class security was not properly intialized for PythonScripts, potentially allowing access to variables that should be protected. It turned out that most of the security assertions were in fact activated as a side effect of other code, but this fix is still appropriate to ensure that all security declarations are properly applied. DTMLMethods with proxy rights could incorrectly transfer those rights via acquisition when traversing to a parent object.
Showing
Please register or sign in to comment