Commit ada16446 authored by Jim Fulton's avatar Jim Fulton

Bugs Fixed:

- Fixed vulnerabilities in the ZEO network protocol that allow:

CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
  CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers

- Limit the number of object ids that can be allocated at once to
  avoid running out of memory.
parent 84f8633f
......@@ -9,6 +9,23 @@ Bugs Fixed:
- Fixed a pack test that was not compatible with storages that always
return an object count of 0.
Whats new in ZODB 3.8.2
=======================
Bugs Fixed:
- Fixed vulnerabilities in the ZEO network protocol that allow:
- CVE-2009-0668 Arbitrary Python code execution in ZODB ZEO storage servers
- CVE-2009-0669 Authentication bypass in ZODB ZEO storage servers
The vulnerabilities only apply if you are using ZEO to share a
database among multiple applications or application instances and if
untrusted clients are able to connect to your ZEO servers.
- Limit the number of object ids that can be allocated at once to
avoid running out of memory.
Whats new in ZODB 3.8.1
=======================
......
......@@ -20,7 +20,7 @@ to application logic. ZODB includes features such as a plugable storage
interface, rich transaction support, and undo.
"""
VERSION = "3.8.2dev"
VERSION = "3.8.3dev"
# The (non-obvious!) choices for the Trove Development Status line:
# Development Status :: 5 - Production/Stable
......
......@@ -111,7 +111,7 @@ class ZEOStorage:
for func in self.extensions:
self._extensions[func.func_name] = None
def finish_auth(self, authenticated):
def _finish_auth(self, authenticated):
if not self.auth_realm:
return 1
self.authenticated = authenticated
......@@ -421,6 +421,7 @@ class ZEOStorage:
def new_oids(self, n=100):
"""Return a sequence of n new oids, where n defaults to 100"""
n = min(n, 100)
if self.read_only:
raise ReadOnlyError()
if n <= 0:
......
......@@ -121,7 +121,7 @@ class StorageClass(ZEOStorage):
check = hexdigest("%s:%s" % (h_up, challenge))
if check == response:
self.connection.setSessionKey(session_key(h_up, self._key_nonce))
return self.finish_auth(check == response)
return self._finish_auth(check == response)
extensions = [auth_get_challenge, auth_response]
......
......@@ -41,7 +41,7 @@ class StorageClass(ZEOStorage):
self.connection.setSessionKey(session_key(username,
self.database.realm,
password))
return self.finish_auth(dbpw == password_dig)
return self._finish_auth(dbpw == password_dig)
class PlaintextClient(Client):
extensions = ["auth"]
......
......@@ -24,7 +24,7 @@ import traceback, time
import ThreadedAsync
from ZEO.zrpc import smac
from ZEO.zrpc.error import ZRPCError, DisconnectedError
from ZEO.zrpc.marshal import Marshaller
from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
from ZEO.zrpc.trigger import trigger
from ZEO.zrpc.log import short_repr, log
from ZODB.loglevels import BLATHER, TRACE
......@@ -883,6 +883,7 @@ class ManagedServerConnection(Connection):
def __init__(self, sock, addr, obj, mgr):
self.mgr = mgr
self.__super_init(sock, addr, obj, 'S')
self.marshal = ServerMarshaller()
self.obj.notifyConnected(self)
def handshake(self):
......
......@@ -52,6 +52,20 @@ class Marshaller:
level=logging.ERROR)
raise
class ServerMarshaller(Marshaller):
def decode(self, msg):
"""Decodes msg and returns its parts"""
unpickler = cPickle.Unpickler(StringIO(msg))
unpickler.find_global = server_find_global
try:
return unpickler.load() # msgid, flags, name, args
except:
log("can't decode message: %s" % short_repr(msg),
level=logging.ERROR)
raise
_globals = globals()
_silly = ('__doc__',)
......@@ -78,3 +92,21 @@ def find_global(module, name):
return r
raise ZRPCError("Unsafe global: %s.%s" % (module, name))
def server_find_global(module, name):
"""Helper for message unpickler"""
try:
m = __import__(module, _globals, _globals, _silly)
except ImportError, msg:
raise ZRPCError("import error %s: %s" % (module, msg))
try:
r = getattr(m, name)
except AttributeError:
raise ZRPCError("module %s has no global %s" % (module, name))
safe = getattr(r, '__no_side_effects__', 0)
if safe:
return r
raise ZRPCError("Unsafe global: %s.%s" % (module, name))
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment