- Fixed security hole in ERP5Subversion that allowed users to delete files...

- Fixed security hole in ERP5Subversion that allowed users to delete files owned by zope (like Data.fs) git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@9505 20353a03-c40f-0410-a6d1-a30d3c3de9de

- Fixed security hole in ERP5Subversion that allowed users to delete files...
- Fixed security hole in ERP5Subversion that allowed users to delete files owned by zope (like Data.fs) git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@9505 20353a03-c40f-0410-a6d1-a30d3c3de9de
2f83ab14 · Christophe Dumez · 71aed7ea · 2f83ab14
Commit 2f83ab14 authored Aug 28, 2006 by Christophe Dumez
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

product/ERP5Subversion/Tool/SubversionTool.py product/ERP5Subversion/Tool/SubversionTool.py +6 -1

No files found.
--- a/product/ERP5Subversion/Tool/SubversionTool.py
+++ b/product/ERP5Subversion/Tool/SubversionTool.py
@@ -139,6 +139,8 @@ class SubversionConflictError(Exception):
  """
  pass

+class SubversionSecurityError(Exception): pass
+
 class SubversionBusinessTemplateNotInstalled(Exception):
  """ Exception called when the business template is not installed
  """
@@ -1053,9 +1055,12 @@ class SubversionTool(BaseTool, UniqueObject, Folder):
    return conflicted_list

  security.declareProtected('Import/Export objects', 'removeAllInList')
-  def removeAllInList(self, path_list):
+  def removeAllInList(self, path_list, REQUEST=None):
    """Remove all files and folders in list
    """
+    if REQUEST is not None:
+      # Security hole fix
+      raise SubversionSecurityError, 'You are not allowed to delete these files'
    for file_path in path_list:
      removeAll(self._getWorkingPath(file_path))