Bugs Fixed

- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
  blobs are available. Someone with write access to a ZEO server
  configured to support blobs could read any file on the system
  readable by the server process and remove any file removable by the
  server process.

setup.py

@@ -20,7 +20,7 @@ to application logic.  ZODB includes features such as a plugable storage
 interface, rich transaction support, and undo.
 """
 
-VERSION = "3.9.0dev"
+VERSION = "3.9.0c2"
 
 from ez_setup import use_setuptools
 use_setuptools()

src/CHANGES.txt

@@ -2,12 +2,18 @@
  Change History
 ================
 
-3.9.0c2 (2009-08-??)
+3.9.0c2 (2009-09-01)
 ====================
 
 Bugs Fixed
 ----------
 
+- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
+  blobs are available. Someone with write access to a ZEO server
+  configured to support blobs could read any file on the system
+  readable by the server process and remove any file removable by the
+  server process.
+
 - BTrees (and TreeSets) kept references to internal keys.
   https://bugs.launchpad.net/zope3/+bug/294788
 

src/ZEO/StorageServer.py

@@ -28,7 +28,6 @@ import sys
 import tempfile
 import threading
 import time
-import warnings
 import itertools
 
 import transaction
@@ -609,6 +608,17 @@ class ZEOStorage:
 
     def storeBlobShared(self, oid, serial, data, filename, id):
         # Reconstruct the full path from the filename in the OID directory
+
+        if (os.path.sep in filename
+            or not (filename.endswith('.tmp')
+                    or filename[:-1].endswith('.tmp')
+                    )
+            ):
+            logger.critical(
+                "We're under attack! (bad filename to storeBlobShared, %r)",
+                filename)
+            raise ValueError(filename)
+
         filename = os.path.join(self.storage.fshelper.getPathForOID(oid),
                                 filename)
         self.blob_log.append((oid, serial, data, filename))