Commit fdcd5adf authored by Jim Fulton's avatar Jim Fulton

Bugs Fixed:

- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
  blobs are available. Someone with write access to a ZEO server
  configured to support blobs could read any file on the system
  readable by the server process and remove any file removable by the
  server process.
parent c7523853
......@@ -10,6 +10,12 @@ New Feature:
Bugs Fixed:
- CVE-2009-2701: Fixed a vulnerability in ZEO storage servers when
blobs are available. Someone with write access to a ZEO server
configured to support blobs could read any file on the system
readable by the server process and remove any file removable by the
server process.
- Fixed ``NameError`` in cases where a directory cannot be created,
e.g. when the necessary permissions are missing.
......
......@@ -20,7 +20,7 @@ to application logic. ZODB includes features such as a plugable storage
interface, rich transaction support, and undo.
"""
VERSION = "3.8.3dev"
VERSION = "3.8.3"
# The (non-obvious!) choices for the Trove Development Status line:
# Development Status :: 5 - Production/Stable
......
......@@ -542,6 +542,16 @@ class ZEOStorage:
def storeBlobShared(self, oid, serial, data, filename, version, id):
# Reconstruct the full path from the filename in the OID directory
if (os.path.sep in filename
or not (filename.endswith('.tmp')
or filename[:-1].endswith('.tmp')
)
):
logger.critical(
"We're under attack! (bad filename to storeBlobShared, %r)",
filename)
raise ValueError(filename)
filename = os.path.join(self.storage.fshelper.getPathForOID(oid),
filename)
self.blob_log.append((oid, serial, data, filename, version))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment