Commit fdcd5adf authored by Jim Fulton's avatar Jim Fulton

Bugs Fixed:

- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
  blobs are available. Someone with write access to a ZEO server
  configured to support blobs could read any file on the system
  readable by the server process and remove any file removable by the
  server process.
parent c7523853
...@@ -10,6 +10,12 @@ New Feature: ...@@ -10,6 +10,12 @@ New Feature:
Bugs Fixed: Bugs Fixed:
- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
blobs are available. Someone with write access to a ZEO server
configured to support blobs could read any file on the system
readable by the server process and remove any file removable by the
server process.
- Fixed ``NameError`` in cases where a directory cannot be created, - Fixed ``NameError`` in cases where a directory cannot be created,
e.g. when the necessary permissions are missing. e.g. when the necessary permissions are missing.
......
...@@ -20,7 +20,7 @@ to application logic. ZODB includes features such as a plugable storage ...@@ -20,7 +20,7 @@ to application logic. ZODB includes features such as a plugable storage
interface, rich transaction support, and undo. interface, rich transaction support, and undo.
""" """
VERSION = "3.8.3dev" VERSION = "3.8.3"
# The (non-obvious!) choices for the Trove Development Status line: # The (non-obvious!) choices for the Trove Development Status line:
# Development Status :: 5 - Production/Stable # Development Status :: 5 - Production/Stable
......
...@@ -530,7 +530,7 @@ class ZEOStorage: ...@@ -530,7 +530,7 @@ class ZEOStorage:
assert self.blob_tempfile is None assert self.blob_tempfile is None
self.blob_tempfile = tempfile.mkstemp( self.blob_tempfile = tempfile.mkstemp(
dir=self.storage.temporaryDirectory()) dir=self.storage.temporaryDirectory())
def storeBlobChunk(self, chunk): def storeBlobChunk(self, chunk):
os.write(self.blob_tempfile[0], chunk) os.write(self.blob_tempfile[0], chunk)
...@@ -542,6 +542,16 @@ class ZEOStorage: ...@@ -542,6 +542,16 @@ class ZEOStorage:
def storeBlobShared(self, oid, serial, data, filename, version, id): def storeBlobShared(self, oid, serial, data, filename, version, id):
# Reconstruct the full path from the filename in the OID directory # Reconstruct the full path from the filename in the OID directory
if (os.path.sep in filename
or not (filename.endswith('.tmp')
or filename[:-1].endswith('.tmp')
)
):
logger.critical(
"We're under attack! (bad filename to storeBlobShared, %r)",
filename)
raise ValueError(filename)
filename = os.path.join(self.storage.fshelper.getPathForOID(oid), filename = os.path.join(self.storage.fshelper.getPathForOID(oid),
filename) filename)
self.blob_log.append((oid, serial, data, filename, version)) self.blob_log.append((oid, serial, data, filename, version))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment