1. 30 Jan, 2004 1 commit
  2. 29 Jan, 2004 5 commits
  3. 27 Jan, 2004 11 commits
  4. 24 Jan, 2004 1 commit
  5. 21 Jan, 2004 3 commits
  6. 20 Jan, 2004 1 commit
  7. 19 Jan, 2004 4 commits
  8. 18 Jan, 2004 3 commits
  9. 16 Jan, 2004 5 commits
  10. 15 Jan, 2004 6 commits
    • Tres Seaver's avatar
      · 52593154
      Tres Seaver authored
        - Don't use bare 'eval' to check filtered set membershp (merge from
          2.6 / 2.7 audit).
      52593154
    • Tres Seaver's avatar
      · e20e60ce
      Tres Seaver authored
        - ZConfig changes for ZSP.
      e20e60ce
    • Tres Seaver's avatar
      · 48bffa97
      Tres Seaver authored
        - Merge a number of entangled issues from 2.6 / 2.7 audit:
      
          Iteration over sequences could in some cases fail to check access
          to an object obtained from the sequence. Subsequent checks (such
          as for attributes access) of such an object would still be
          performed, but it should not have been possible to obtain the
          object in the first place.
      
          List and dictionary instance methods such as the get method of
          dictionary objects were not security aware and could return an
          object without checking access to that object. Subsequent checks
          (such as for attributes access) of such an object would still be
          performed, but it should not have been possible to obtain the
          object in the first place.
      
          Use of "import as" in Python scripts could potentially rebind
          names in ways that could be used to avoid appropriate security
          checks.
      
          A number of newer built-ins were either unavailable in untrusted
          code or did not perform adequate security checking.
      
          Unpacking via function calls, variable assignment, exception
          variables and other contexts did not perform adequate security
          checks, potentially allowing access to objects that should have
          been protected.
      
          Class security was not properly intialized for PythonScripts,
          potentially allowing access to variables that should be protected.
          It turned out that most of the security assertions were in fact
          activated as a side effect of other code, but this fix is still
          appropriate to ensure that all security declarations are properly
          applied.
      
          DTMLMethods with proxy rights could incorrectly transfer those
          rights via acquisition when traversing to a parent object.
      48bffa97
    • Tres Seaver's avatar
      · dd724d52
      Tres Seaver authored
        - Wire up security policy selection machinery to ZConfig (note that the
          'C' policy is currently borked, but should be fixed very soon).
      dd724d52
    • Tres Seaver's avatar
      · 2a8a5e38
      Tres Seaver authored
        - Don't allow Unicode strings to be passed to response.write() (merged
          from 2.6 / 2.7 audit).
      2a8a5e38
    • Tres Seaver's avatar
      · d0ebdc24
      Tres Seaver authored
        - HTTPResponse.py:  CGI escapes (merged from 2.6 / 2.7 audit).
      
        - xmlrpc.py:  Exclude "private" attributes when marshalling an instance
          as an XML-RPC dict (merged from 2.6 / 2.7 audit).
      d0ebdc24