r725 - zope2.9/branches/etch/debian/patches
Jérémy Bobbio
lunar at alioth.debian.org
Wed Mar 28 23:46:39 UTC 2007
Author: lunar
Date: 2007-03-28 22:46:38 +0000 (Wed, 28 Mar 2007)
New Revision: 725
Added:
zope2.9/branches/etch/debian/patches/cve-2007-0240.dpatch
Modified:
zope2.9/branches/etch/debian/patches/00list
Log:
Add patch fixing CVE-2007-0240 (backporting changes from Zope 2.9.7).
Modified: zope2.9/branches/etch/debian/patches/00list
===================================================================
--- zope2.9/branches/etch/debian/patches/00list 2007-03-28 21:30:20 UTC (rev 724)
+++ zope2.9/branches/etch/debian/patches/00list 2007-03-28 22:46:38 UTC (rev 725)
@@ -1,2 +1,3 @@
deb-zopeconf
webdav
+cve-2007-0240
Added: zope2.9/branches/etch/debian/patches/cve-2007-0240.dpatch
===================================================================
--- zope2.9/branches/etch/debian/patches/cve-2007-0240.dpatch 2007-03-28 21:30:20 UTC (rev 724)
+++ zope2.9/branches/etch/debian/patches/cve-2007-0240.dpatch 2007-03-28 22:46:38 UTC (rev 725)
@@ -0,0 +1,380 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## cve-2007-0240.dpatch by Jérémy Bobbio <lunar at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE 2007-0240
+
+ at DPATCH@
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/AccessControl/Owned.py z/lib/python/AccessControl/Owned.py
+--- zope2.9-2.9.6.orig/z/lib/python/AccessControl/Owned.py 2006-11-21 07:14:22.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/AccessControl/Owned.py 2007-03-28 23:48:11.993639000 +0200
+@@ -18,6 +18,7 @@
+ import Globals, urlparse, SpecialUsers, ExtensionClass
+ from AccessControl import getSecurityManager, Unauthorized
+ from Acquisition import aq_get, aq_parent, aq_base
++from requestmethod import postonly
+ from zope.interface import implements
+
+ from interfaces import IOwned
+@@ -175,6 +176,7 @@
+ if owner == info: return 0
+ return security.checkPermission('Take ownership', self)
+
++ @postonly
+ def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0):
+ """Take ownership (responsibility) for an object.
+
+@@ -194,6 +196,7 @@
+
+ RESPONSE.redirect(REQUEST['HTTP_REFERER'])
+
++ @postonly
+ def manage_changeOwnershipType(self, explicit=1,
+ RESPONSE=None, REQUEST=None):
+ """Change the type (implicit or explicit) of ownership.
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/AccessControl/PermissionMapping.py z/lib/python/AccessControl/PermissionMapping.py
+--- zope2.9-2.9.6.orig/z/lib/python/AccessControl/PermissionMapping.py 2006-11-21 07:14:22.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/AccessControl/PermissionMapping.py 2007-03-25 11:41:38.000000000 +0200
+@@ -28,6 +28,7 @@
+ from interfaces import IPermissionMappingSupport
+ from Owned import UnownableOwner
+ from Permission import pname
++from requestmethod import postonly
+
+
+ class RoleManager:
+@@ -58,6 +59,7 @@
+ a({'permission_name': ac_perms[0], 'class_permission': p})
+ return r
+
++ @postonly
+ def manage_setPermissionMapping(self,
+ permission_names=[],
+ class_permissions=[], REQUEST=None):
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/AccessControl/Role.py z/lib/python/AccessControl/Role.py
+--- zope2.9-2.9.6.orig/z/lib/python/AccessControl/Role.py 2006-11-21 07:14:22.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/AccessControl/Role.py 2007-03-25 11:41:38.000000000 +0200
+@@ -24,6 +24,7 @@
+
+ from interfaces import IRoleManager
+ from Permission import Permission
++from requestmethod import postonly
+
+
+ DEFAULTMAXLISTUSERS=250
+@@ -135,6 +136,7 @@
+ help_topic='Security_Manage-Role.stx',
+ help_product='OFSP')
+
++ @postonly
+ def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
+ """Change the permissions given to the given role.
+ """
+@@ -151,6 +153,7 @@
+ help_topic='Security_Manage-Acquisition.stx',
+ help_product='OFSP')
+
++ @postonly
+ def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
+ """Change the permissions that acquire.
+ """
+@@ -170,6 +173,7 @@
+ help_topic='Security_Manage-Permission.stx',
+ help_product='OFSP')
+
++ @postonly
+ def manage_permission(self, permission_to_manage,
+ roles=[], acquire=0, REQUEST=None):
+ """Change the settings for the given permission.
+@@ -206,6 +210,7 @@
+ else:
+ return apply(self._normal_manage_access,(), kw)
+
++ @postonly
+ def manage_changePermissions(self, REQUEST):
+ """Change all permissions settings, called by management screen.
+ """
+@@ -353,6 +358,7 @@
+ dict=self.__ac_local_roles__ or {}
+ return tuple(dict.get(userid, []))
+
++ @postonly
+ def manage_addLocalRoles(self, userid, roles, REQUEST=None):
+ """Set local roles for a user."""
+ if not roles:
+@@ -370,6 +376,7 @@
+ stat='Your changes have been saved.'
+ return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+
++ @postonly
+ def manage_setLocalRoles(self, userid, roles, REQUEST=None):
+ """Set local roles for a user."""
+ if not roles:
+@@ -383,6 +390,7 @@
+ stat='Your changes have been saved.'
+ return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+
++ @postonly
+ def manage_delLocalRoles(self, userids, REQUEST=None):
+ """Remove all local roles for a user."""
+ dict=self.__ac_local_roles__
+@@ -473,6 +481,7 @@
+
+ return self.manage_access(REQUEST)
+
++ @postonly
+ def _addRole(self, role, REQUEST=None):
+ if not role:
+ return MessageDialog(
+@@ -490,6 +499,7 @@
+ if REQUEST is not None:
+ return self.manage_access(REQUEST)
+
++ @postonly
+ def _delRoles(self, roles, REQUEST=None):
+ if not roles:
+ return MessageDialog(
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/AccessControl/User.py z/lib/python/AccessControl/User.py
+--- zope2.9-2.9.6.orig/z/lib/python/AccessControl/User.py 2006-11-21 07:14:22.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/AccessControl/User.py 2007-03-25 11:41:38.000000000 +0200
+@@ -31,6 +31,7 @@
+ import AuthEncoding
+ import SpecialUsers
+ from interfaces import IStandardUserFolder
++from requestmethod import postonly
+ from PermissionRole import _what_not_even_god_should_do, rolesForPermissionOn
+ from Role import RoleManager, DEFAULTMAXLISTUSERS
+ from SecurityManagement import getSecurityManager
+@@ -534,7 +535,9 @@
+ # Authors of custom user folders don't need to do anything special to
+ # support these - they will just call the appropriate '_' methods that
+ # user folder subclasses already implement.
+- def userFolderAddUser(self, name, password, roles, domains, **kw):
++ @postonly
++ def userFolderAddUser(self, name, password, roles, domains,
++ REQUEST=None, **kw):
+ """API method for creating a new user object. Note that not all
+ user folder implementations support dynamic creation of user
+ objects."""
+@@ -542,7 +545,9 @@
+ return self._doAddUser(name, password, roles, domains, **kw)
+ raise NotImplementedError
+
+- def userFolderEditUser(self, name, password, roles, domains, **kw):
++ @postonly
++ def userFolderEditUser(self, name, password, roles, domains,
++ REQUEST=None, **kw):
+ """API method for changing user object attributes. Note that not
+ all user folder implementations support changing of user object
+ attributes."""
+@@ -550,7 +555,8 @@
+ return self._doChangeUser(name, password, roles, domains, **kw)
+ raise NotImplementedError
+
+- def userFolderDelUsers(self, names):
++ @postonly
++ def userFolderDelUsers(self, names, REQUEST=None):
+ """API method for deleting one or more user objects. Note that not
+ all user folder implementations support deletion of user objects."""
+ if hasattr(self, '_doDelUsers'):
+@@ -792,6 +798,7 @@
+ self, REQUEST, manage_tabs_message=manage_tabs_message,
+ management_view='Properties')
+
++ @postonly
+ def manage_setUserFolderProperties(self, encrypt_passwords=0,
+ update_passwords=0,
+ maxlistusers=DEFAULTMAXLISTUSERS,
+@@ -846,7 +853,7 @@
+
+ return 1
+
+-
++ @postonly
+ def _addUser(self,name,password,confirm,roles,domains,REQUEST=None):
+ if not name:
+ return MessageDialog(
+@@ -882,7 +889,7 @@
+ self._doAddUser(name, password, roles, domains)
+ if REQUEST: return self._mainUser(self, REQUEST)
+
+-
++ @postonly
+ def _changeUser(self,name,password,confirm,roles,domains,REQUEST=None):
+ if password == 'password' and confirm == 'pconfirm':
+ # Protocol for editUser.dtml to indicate unchanged password
+@@ -920,6 +927,7 @@
+ self._doChangeUser(name, password, roles, domains)
+ if REQUEST: return self._mainUser(self, REQUEST)
+
++ @postonly
+ def _delUsers(self,names,REQUEST=None):
+ if not names:
+ return MessageDialog(
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/AccessControl/requestmethod.py z/lib/python/AccessControl/requestmethod.py
+--- zope2.9-2.9.6.orig/z/lib/python/AccessControl/requestmethod.py 1970-01-01 01:00:00.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/AccessControl/requestmethod.py 2007-03-25 11:41:38.000000000 +0200
+@@ -0,0 +1,70 @@
++#############################################################################
++#
++# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
++#
++# This software is subject to the provisions of the Zope Public License,
++# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
++# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
++# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
++# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
++# FOR A PARTICULAR PURPOSE
++#
++##############################################################################
++
++import inspect
++from zExceptions import Forbidden
++from ZPublisher.HTTPRequest import HTTPRequest
++
++def _buildFacade(spec, docstring):
++ """Build a facade function, matching the decorated method in signature.
++
++ Note that defaults are replaced by None, and _curried will reconstruct
++ these to preserve mutable defaults.
++
++ """
++ args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
++ callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
++ return 'def _facade%s:\n """%s"""\n return _curried%s' % (
++ args, docstring, callargs)
++
++def postonly(callable):
++ """Only allow callable when request method is POST."""
++ spec = inspect.getargspec(callable)
++ args, defaults = spec[0], spec[3]
++ try:
++ r_index = args.index('REQUEST')
++ except ValueError:
++ raise ValueError('No REQUEST parameter in callable signature')
++
++ arglen = len(args)
++ if defaults is not None:
++ defaults = zip(args[arglen - len(defaults):], defaults)
++ arglen -= len(defaults)
++
++ def _curried(*args, **kw):
++ request = None
++
++ if len(args) > r_index:
++ request = args[r_index]
++
++ if isinstance(request, HTTPRequest):
++ if request.get('REQUEST_METHOD', 'GET').upper() != 'POST':
++ raise Forbidden('Request must be POST')
++
++ # Reconstruct keyword arguments
++ if defaults is not None:
++ args, kwparams = args[:arglen], args[arglen:]
++ for positional, (key, default) in zip(kwparams, defaults):
++ if positional is None:
++ kw[key] = default
++ else:
++ kw[key] = positional
++
++ return callable(*args, **kw)
++
++ # Build a facade, with a reference to our locally-scoped _curried
++ facade_globs = dict(_curried=_curried)
++ exec _buildFacade(spec, callable.__doc__) in facade_globs
++ return facade_globs['_facade']
++
++__all__ = ('postonly',)
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/App/ApplicationManager.py z/lib/python/App/ApplicationManager.py
+--- zope2.9-2.9.6.orig/z/lib/python/App/ApplicationManager.py 2006-11-21 07:14:28.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/App/ApplicationManager.py 2007-03-26 21:07:34.000000000 +0200
+@@ -31,6 +31,7 @@
+ from version_txt import version_txt
+ from cStringIO import StringIO
+ from AccessControl import getSecurityManager
++from AccessControl.requestmethod import postonly
+ from zExceptions import Redirect
+ from Products.PageTemplates.PageTemplateFile import PageTemplateFile
+ from cgi import escape
+@@ -387,7 +388,8 @@
+
+ if os.environ.has_key('ZMANAGED'):
+ manage_restartable=1
+- def manage_restart(self, URL1):
++ @postonly
++ def manage_restart(self, URL1, REQUEST=None):
+ """Shut down the application"""
+ try:
+ user = '"%s"' % getSecurityManager().getUser().getUserName()
+@@ -402,7 +404,8 @@
+ <body>Zope is restarting</body></html>
+ """ % escape(URL1, 1)
+
+- def manage_shutdown(self):
++ @postonly
++ def manage_shutdown(self, REQUEST=None):
+ """Shut down the application"""
+ try:
+ user = '"%s"' % getSecurityManager().getUser().getUserName()
+@@ -417,6 +420,7 @@
+ <body>Zope is shutting down</body></html>
+ """
+
++ @postonly
+ def manage_pack(self, days=0, REQUEST=None):
+ """Pack the database"""
+
+@@ -471,6 +475,7 @@
+ r.append({'id': v})
+ return r
+
++ @postonly
+ def manage_saveVersions(self, versions, REQUEST=None):
+ "Commit some versions"
+ db=self._p_jar.db()
+@@ -479,6 +484,7 @@
+ if REQUEST is not None:
+ REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main')
+
++ @postonly
+ def manage_discardVersions(self, versions, REQUEST=None):
+ "Discard some versions"
+ db=self._p_jar.db()
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/OFS/DTMLMethod.py z/lib/python/OFS/DTMLMethod.py
+--- zope2.9-2.9.6.orig/z/lib/python/OFS/DTMLMethod.py 2006-11-21 07:14:30.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/OFS/DTMLMethod.py 2007-03-25 11:41:48.000000000 +0200
+@@ -29,6 +29,7 @@
+ import Globals, sys, Acquisition
+ from AccessControl import getSecurityManager
+ from AccessControl.DTML import RestrictedDTML
++from AccessControl.requestmethod import postonly
+ from Cache import Cacheable
+ from zExceptions import Forbidden
+ from zExceptions.TracebackSupplement import PathTracebackSupplement
+@@ -315,6 +316,7 @@
+ 'do not have proxy roles.\n<!--%s, %s-->' % (self.__name__, u, roles))
+
+
++ @postonly
+ def manage_proxy(self, roles=(), REQUEST=None):
+ "Change Proxy Roles"
+ self._validateProxy(REQUEST, roles)
+diff -Naur zope2.9-2.9.6.orig/z/lib/python/Products/PythonScripts/PythonScript.py z/lib/python/Products/PythonScripts/PythonScript.py
+--- zope2.9-2.9.6.orig/z/lib/python/Products/PythonScripts/PythonScript.py 2006-11-21 07:14:23.000000000 +0100
++++ zope2.9-2.9.6/z/lib/python/Products/PythonScripts/PythonScript.py 2007-03-25 11:41:39.000000000 +0200
+@@ -34,6 +34,7 @@
+ from OFS.History import Historical, html_diff
+ from OFS.Cache import Cacheable
+ from AccessControl.ZopeGuards import get_safe_globals, guarded_getattr
++from AccessControl.requestmethod import postonly
+ from zExceptions import Forbidden
+ import Globals
+
+@@ -359,6 +360,7 @@
+ 'manage_proxyForm', 'manage_proxy')
+
+ manage_proxyForm = DTMLFile('www/pyScriptProxy', globals())
++ @postonly
+ def manage_proxy(self, roles=(), REQUEST=None):
+ "Change Proxy Roles"
+ self._validateProxy(roles)
Property changes on: zope2.9/branches/etch/debian/patches/cve-2007-0240.dpatch
___________________________________________________________________
Name: svn:executable
+ *
More information about the pkg-zope-commits
mailing list