From: <ke...@us...> - 2006-05-25 16:04:35
|
Revision: 3063 Author: kevca Date: 2006-05-25 09:04:25 -0700 (Thu, 25 May 2006) ViewCVS: http://svn.sourceforge.net/mailmanager/?rev=3063&view=rev Log Message: ----------- * SECURITY - Added in fix for potential security issue Postgres encoding security hole (#1494281) The code should not be vulnerable to this issue, but additional bugs in the release may expose the vulnerability. Adding in a patch which will prevent the exploit in all cases. Modified Paths: -------------- MailManager/branches/RELENG_2_1/CHANGES.txt MailManager/branches/RELENG_2_1/MailManager.py MailManager/branches/RELENG_2_1/sql/__init__.py Modified: MailManager/branches/RELENG_2_1/CHANGES.txt =================================================================== --- MailManager/branches/RELENG_2_1/CHANGES.txt 2006-05-25 15:36:39 UTC (rev 3062) +++ MailManager/branches/RELENG_2_1/CHANGES.txt 2006-05-25 16:04:25 UTC (rev 3063) @@ -20,8 +20,17 @@ - Filters breaking getMail with unicode messages (#1493620) - AutoLogout not working correctly (#1493641) - Add Note missing from overdue tickets (#1494173) +- Loop detection code prevents mailmanager mailing mailmanager (#1494827) * BUG FIXES From 2.0.8 to 2.0.9 +* BUG FIXES From 2.0.9 to 2.0.10 +* SECURITY +- Added in fix for potential security issue + Postgres encoding security hole (#1494281) + The code should not be vulnerable to this issue, but additional bugs in + the release may expose the vulnerability. Adding in a patch which will + prevent the exploit in all cases. + Version 2.1-RC3 * BUG FIXES - setHTML raises Unicode error (#1477563) Modified: MailManager/branches/RELENG_2_1/MailManager.py =================================================================== --- MailManager/branches/RELENG_2_1/MailManager.py 2006-05-25 15:36:39 UTC (rev 3062) +++ MailManager/branches/RELENG_2_1/MailManager.py 2006-05-25 16:04:25 UTC (rev 3063) @@ -29,7 +29,7 @@ from Products.MailHost.MailHost import manage_addMailHost from Products.PageTemplates.ZopePageTemplate import manage_addPageTemplate from Products.ZSQLMethods.SQL import manage_addZSQLMethod -from Products.MailManager.sql import MailManagerSQL +from Products.MailManager.sql import MailManagerSQL, FSZSQLWrapper, SQLWrapper from Products.MailManager.Queueing import BasicQueue, QueueError from MMUserFolder import manage_addMMUserFolder @@ -842,36 +842,40 @@ security.declarePrivate('addZSQLMethods') def addZSQLMethods(self): - """Add some top level ZSQL methods. - These ZSQL method can't be added from a directory view because we want - to use a Pluggable Brain. + """ Add some top level ZSQL methods. + + These are added in manually as SQL objects so that object traversal + will work correctly, and people can access them via http + + The SQLWrapper class includes a fix for the security issue: + Postgres encoding security hole (#1494281) """ - - # Just so they magically survive a migration, should anything change - # in this method, it's now called (via configureDatabasePlatform()) - # every time a migration happens. So we should check to see if they - # exist already and, if so, remove them first. - for zsql_method in ['account', 'attachment', 'ticket']: - if zsql_method in self.objectIds(): - self.manage_delObjects([zsql_method]) - - manage_addZSQLMethod(self, id='account', title='', - connection_id='mailmanager_db', arguments='email', - template='SELECT * ' - 'FROM <dtml-var schema>mm_account ' - 'WHERE <dtml-sqltest email type=nb>') - manage_addZSQLMethod(self, id='attachment', title='', - connection_id='mailmanager_db', arguments='id', - template='SELECT * ' - 'FROM <dtml-var schema>mm_attachment ' - 'WHERE <dtml-sqltest id type=int>') - manage_addZSQLMethod(self, id='ticket', title='', - connection_id='mailmanager_db', - arguments='id', - template='SELECT * ' - 'FROM <dtml-var schema>mm_ticket ' - 'WHERE <dtml-sqltest id type=int>') + # Remove and replace ZSQL methods. + sqlmethods = [('ticket', 'id'), ('attachment', 'id'), ('account', 'email')] + for (zsql_method, arguments) in sqlmethods: + if zsql_method in self.objectIds(): + self.manage_delObjects([zsql_method]) + + # Load the ZSQL file from disk and save the SQL data into the ZoDB + filename = os.path.join(package_home(globals()), 'sql', 'v2_1', '%s.zsql' % zsql_method) + zsqlfile = open(filename,'r') + + # Remove the ZSQL file header + data = '' + header = True + zsqlline = zsqlfile.readline() + while zsqlline: + if not header: + data = data + zsqlline + if '</dtml-comment>' in zsqlline: + header = False + zsqlline = zsqlfile.readline() + zsqlfile.close() + + zfsm = SQLWrapper(zsql_method, zsql_method, 'mailmanager_db', arguments, data) + self._setObject(zsql_method, zfsm) + # Set the pluggable brain and allow direct traversal self.attachment.manage_advanced(1, 1, 0, 'AttachPluggableBrain', 'MailManager.AttachPluggableBrain', 1) @@ -881,7 +885,6 @@ 'MailManager.TicketPluggableBrain', 1) - ############################################################################### ############################################################################### @@ -1568,6 +1571,7 @@ date_str, ticket_id, genRandomString(length=8), + 'test.example' ) security.declareProtected('MailManager Create Tickets', 'createTicket') Modified: MailManager/branches/RELENG_2_1/sql/__init__.py =================================================================== --- MailManager/branches/RELENG_2_1/sql/__init__.py 2006-05-25 15:36:39 UTC (rev 3062) +++ MailManager/branches/RELENG_2_1/sql/__init__.py 2006-05-25 16:04:25 UTC (rev 3063) @@ -25,15 +25,44 @@ import OFS.Folder +from AccessControl import ClassSecurityInfo +from Products.FileSystemSite.Permissions import View, ViewManagementScreens +from Products.ZSQLMethods.SQL import SQL + + + class FSZSQLWrapper(FSZSQLMethod): """ A wrapper to an sql method which converts unicode to utf-8 """ def __call__(self, *args, **kw): + + # # Convert unicode to utf-8 strings + # + # Also Ensure that the combination of 0xc8 ' cannot be used in + # the data sent to the server, to prevent security attacks. See + # bug #1494281 - Postgres encoding security hole + # + # No unicode characters can map to this, so the check is not + # needed when dealing with unicode strings. The encoding + # sequence itself is invalid in utf-8 (which is the only + # internal encoding we would support) so it will just be + # discarded if found. + # + convkw = {} for key in kw: if type(kw[key]) is unicode: convkw[key] = kw[key].encode('utf-8') + elif type(kw[key]) is str: + if self.dbplatform == 'postgres': + # Only patch for postgres. Postgres has a class Binary + # for binary types, which should not be modified. Applying + # this patch for other database types may mean that raw + # data is modified. + convkw[key] = kw[key].replace('0xc8\'','') + else: + convkw[key] = kw[key] else: convkw[key] = kw[key] @@ -41,20 +70,36 @@ return FSZSQLMethod.__call__(self, *args, **convkw) -class RelativeZSQLMethod(FSZSQLMethod): - """ - Some hacking so that we can use filenames relative to package_home() +class SQLWrapper(SQL): + """ A wrapper to an sql method which converts unicode to utf-8 """ - This - FSObject - """ + def __call__(self, *args, **kw): + + # + # Convert unicode to utf-8 strings + # + # Also Ensure that the combination of 0xc8 ' cannot be used in + # the data sent to the server, to prevent security attacks. See + # bug #1494281 - Postgres encoding security hole + # + # No unicode characters can map to this, so the check is not + # needed when dealing with unicode strings. The encoding + # sequence itself is invalid in utf-8 (which is the only + # internal encoding we would support) so it will just be + # discarded if found. + # - def __init__(self, id, filepath, fullname=None, properties=None): - pass + convkw = {} + for key in kw: + if type(kw[key]) is unicode: + convkw[key] = kw[key].encode('utf-8') + elif type(kw[key]) is str: + convkw[key] = kw[key].replace('0xc8\'','') + else: + convkw[key] = kw[key] - def __getattr__(self, name): - if name == '_filename': - pass + # Call method is target folder + return SQL.__call__(self, *args, **convkw) class MailManagerSQL(OFS.Folder.Folder): This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |