Commit 86a2eab6 authored by Jim Fulton's avatar Jim Fulton

Bugs Fixed

- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
  blobs are available. Someone with write access to a ZEO server
  configured to support blobs could read any file on the system
  readable by the server process and remove any file removable by the
  server process.
parent 0b22c9f8
......@@ -20,7 +20,7 @@ to application logic. ZODB includes features such as a plugable storage
interface, rich transaction support, and undo.
"""
VERSION = "3.9.0dev"
VERSION = "3.9.0c2"
from ez_setup import use_setuptools
use_setuptools()
......
......@@ -2,12 +2,18 @@
Change History
================
3.9.0c2 (2009-08-??)
3.9.0c2 (2009-09-01)
====================
Bugs Fixed
----------
- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
blobs are available. Someone with write access to a ZEO server
configured to support blobs could read any file on the system
readable by the server process and remove any file removable by the
server process.
- BTrees (and TreeSets) kept references to internal keys.
https://bugs.launchpad.net/zope3/+bug/294788
......
......@@ -28,7 +28,6 @@ import sys
import tempfile
import threading
import time
import warnings
import itertools
import transaction
......@@ -609,6 +608,17 @@ class ZEOStorage:
def storeBlobShared(self, oid, serial, data, filename, id):
# Reconstruct the full path from the filename in the OID directory
if (os.path.sep in filename
or not (filename.endswith('.tmp')
or filename[:-1].endswith('.tmp')
)
):
logger.critical(
"We're under attack! (bad filename to storeBlobShared, %r)",
filename)
raise ValueError(filename)
filename = os.path.join(self.storage.fshelper.getPathForOID(oid),
filename)
self.blob_log.append((oid, serial, data, filename))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment