Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 147233 Details for
Bug 214666
www-apps/roundup < 1.4.4-r1 does not check property permissions (CVE-2008-1475)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
xmlrpc_property_permissions.patch (text/plain), 7.73 KB, created by
Lars Hartmann
on 2008-03-25 10:21:27 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Lars Hartmann
Created:
2008-03-25 10:21:27 UTC
Size:
7.73 KB
patch
obsolete
>Index: roundup/xmlrpc.py >=================================================================== >RCS file: /cvsroot/roundup/roundup/roundup/xmlrpc.py,v >retrieving revision 1.5 >diff -u -r1.5 xmlrpc.py >--- roundup/xmlrpc.py 3 Nov 2007 00:50:37 -0000 1.5 >+++ roundup/xmlrpc.py 4 Mar 2008 18:13:49 -0000 >@@ -63,13 +63,10 @@ > def close(self): > """Close the database, after committing any changes, if needed.""" > >- if getattr(self, 'db'): >- try: >- if self.db.transactions: >- self.db.commit() >- finally: >- self.db.close() >- >+ try: >+ self.db.commit() >+ finally: >+ self.db.close() > > def get_class(self, classname): > """Return the class for the given classname.""" >@@ -115,51 +112,52 @@ > > def list(self, username, password, classname, propname=None): > r = RoundupRequest(self.tracker, username, password) >- cl = r.get_class(classname) >- if not propname: >- propname = cl.labelprop() >- def has_perm(itemid): >- return True >- r.db.security.hasPermission('View', r.userid, classname, >- itemid=itemid, property=propname) >- result = [cl.get(id, propname) for id in cl.list() >- if has_perm(id)] >- r.close() >+ try: >+ cl = r.get_class(classname) >+ if not propname: >+ propname = cl.labelprop() >+ result = [ cl.get(itemid, propname) for itemid in cl.list() >+ if r.db.security.hasPermission \ >+ ('View', r.userid, classname, propname, itemid) >+ ] >+ finally: >+ r.close() > return result > > def display(self, username, password, designator, *properties): > r = RoundupRequest(self.tracker, username, password) >- classname, itemid = hyperdb.splitDesignator(designator) >- >- if not r.db.security.hasPermission('View', r.userid, classname, >- itemid=itemid): >- raise Unauthorised('Permission to view %s denied'%designator) >- >- cl = r.get_class(classname) >- props = properties and list(properties) or cl.properties.keys() >- props.sort() >- result = [(property, cl.get(itemid, property)) for property in props] >- r.close() >+ try: >+ classname, itemid = hyperdb.splitDesignator(designator) >+ cl = r.get_class(classname) >+ props = properties and list(properties) or cl.properties.keys() >+ props.sort() >+ for p in props: >+ if not r.db.security.hasPermission \ >+ ('View', r.userid, classname, p, itemid): >+ raise Unauthorised \ >+ ('Permission to view %s of %s denied' % (p, designator)) >+ result = [(prop, cl.get(itemid, prop)) for prop in props] >+ finally: >+ r.close() > return dict(result) > > def create(self, username, password, classname, *args): > r = RoundupRequest(self.tracker, username, password) >+ try: >+ if not r.db.security.hasPermission('Create', r.userid, classname): >+ raise Unauthorised('Permission to create %s denied'%classname) > >- if not r.db.security.hasPermission('Create', r.userid, classname): >- raise Unauthorised('Permission to create %s denied'%classname) >- >- cl = r.get_class(classname) >+ cl = r.get_class(classname) > >- # convert types >- props = r.props_from_args(cl, args) >+ # convert types >+ props = r.props_from_args(cl, args) > >- # check for the key property >- key = cl.getkey() >- if key and not props.has_key(key): >- raise UsageError, 'you must provide the "%s" property.'%key >+ # check for the key property >+ key = cl.getkey() >+ if key and not props.has_key(key): >+ raise UsageError, 'you must provide the "%s" property.'%key > >- # do the actual create >- try: >+ # do the actual create > try: > result = cl.create(**props) > except (TypeError, IndexError, ValueError), message: >@@ -170,19 +168,17 @@ > > def set(self, username, password, designator, *args): > r = RoundupRequest(self.tracker, username, password) >- classname, itemid = hyperdb.splitDesignator(designator) >- >- if not r.db.security.hasPermission('Edit', r.userid, classname, >- itemid=itemid): >- raise Unauthorised('Permission to edit %s denied'%designator) >- >- cl = r.get_class(classname) >- >- # convert types >- props = r.props_from_args(cl, args) > try: >+ classname, itemid = hyperdb.splitDesignator(designator) >+ cl = r.get_class(classname) >+ props = r.props_from_args(cl, args) # convert types >+ for p in props.iterkeys (): >+ if not r.db.security.hasPermission \ >+ ('Edit', r.userid, classname, p, itemid): >+ raise Unauthorised\ >+ ('Permission to edit %s of %s denied'%(p, designator)) > try: >- cl.set(itemid, **props) >+ return cl.set(itemid, **props) > except (TypeError, IndexError, ValueError), message: > raise UsageError, message > finally: >Index: test/db_test_base.py >=================================================================== >RCS file: /cvsroot/roundup/roundup/test/db_test_base.py,v >retrieving revision 1.96 >diff -u -r1.96 db_test_base.py >--- test/db_test_base.py 7 Feb 2008 03:28:34 -0000 1.96 >+++ test/db_test_base.py 4 Mar 2008 18:13:50 -0000 >@@ -62,6 +62,7 @@ > tracker = instance.open(dirname) > if tracker.exists(): > tracker.nuke() >+ init.write_select_db(dirname, backend) > tracker.init(password.Password('sekrit')) > return tracker > >@@ -293,7 +294,7 @@ > l = [u1,u2]; l.sort() > m = self.db.issue.get(nid, "nosy"); m.sort() > self.assertEqual(l, m) >- >+ > > # XXX one day, maybe... > # def testMultilinkOrdering(self): >Index: test/test_xmlrpc.py >=================================================================== >RCS file: /cvsroot/roundup/roundup/test/test_xmlrpc.py,v >retrieving revision 1.4 >diff -u -r1.4 test_xmlrpc.py >--- test/test_xmlrpc.py 3 Nov 2007 00:50:38 -0000 1.4 >+++ test/test_xmlrpc.py 4 Mar 2008 18:13:50 -0000 >@@ -9,23 +9,26 @@ > from roundup.cgi.exceptions import * > from roundup import init, instance, password, hyperdb, date > from roundup.xmlrpc import RoundupServer >+from roundup.backends import list_backends > > import db_test_base > > NEEDS_INSTANCE = 1 > > class TestCase(unittest.TestCase): >+ >+ backend = None >+ > def setUp(self): > self.dirname = '_test_xmlrpc' > # set up and open a tracker >- self.instance = db_test_base.setupTracker(self.dirname) >+ self.instance = db_test_base.setupTracker(self.dirname, self.backend) > > # open the database > self.db = self.instance.open('admin') > self.joeid = 'user' + self.db.user.create(username='joe', > password=password.Password('random'), address='random@home.org', > realname='Joe Random', roles='User') >- > self.db.commit() > self.db.close() > >@@ -89,10 +92,12 @@ > > def test_suite(): > suite = unittest.TestSuite() >- suite.addTest(unittest.makeSuite(TestCase)) >+ for l in list_backends() : >+ dct = dict(backend = l) >+ subcls = type(TestCase)('TestCase_%s' % l, (TestCase,), dct) >+ suite.addTest(unittest.makeSuite(subcls)) > return suite > > if __name__ == '__main__': > runner = unittest.TextTestRunner() > unittest.main(testRunner=runner) >-
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 214666
: 147233