![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5c206ff)
raw | patch | inline | side by side (parent: 5c206ff)
| author | richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2> | |
| Sun, 20 Dec 2009 23:24:21 +0000 (23:24 +0000) | ||
| committer | richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2> | |
| Sun, 20 Dec 2009 23:24:21 +0000 (23:24 +0000) |
also update docs and prepare for a release
git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4412 57a73879-2fb5-44c3-a270-3262357dd7e2
git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4412 57a73879-2fb5-44c3-a270-3262357dd7e2
diff --git a/CHANGES.txt b/CHANGES.txt
index 12385abf6bd8aedc64f7eafe6e2b9e1dd23084d5..9fa9c29d7ae9a98149f77f15aaab2a12d7c8d200 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
- Generic class editor may now restore retired items (thanks Ralf Hemmecke)
Fixes:
+- Fix security hole allowing user permission escalation (thanks Ralf
+ Schlatterbeck)
- More SSL fixes. SSL wants the underlying socket non-blocking. So we
don't call socket.setdefaulttimeout in case of SSL. This apparently
never raises a WantReadError from SSL.
diff --git a/doc/announcement.txt b/doc/announcement.txt
index 3ed341fecedc9ef6c1d4164be12d2d6056d435df..247bdc68299a7b018f6692f3f570b64aea10fcd2 100644 (file)
--- a/doc/announcement.txt
+++ b/doc/announcement.txt
-I'm proud to release version 1.4.10 of Roundup which fixes some bugs:
-
-- Minor update of doc/developers.txt to point to the new resources
- on www.roundup-tracker.org (Bernhard Reiter)
-- Small CSS improvements regaring the search box (thanks Thomas Arendsan Hein)
- (issue 2550589)
-- Indexers behaviour made more consistent regarding length of indexed words
- and stopwords (thanks Thomas Arendsen Hein, Bernhard Reiter)(issue 2550584)
-- fixed typos in the installation instructions (thanks Thomas Arendsen Hein)
- (issue 2550573)
-- New config option csv_field_size: Pythons csv module (which is used
- for export/import) has a new field size limit starting with python2.5.
- We now issue a warning during export if the limit is too small and use
- the csv_field_size configuration during import to set the limit for
- the csv module.
-- Small fix for CGI-handling of XMLRPC requests for python2.4, this
- worked only for 2.5 and beyond due to a change in the xmlrpc interface
- in python
-- Document filter method of xmlrpc interface
-- Fix interaction of SSL and XMLRPC, now XMLRPC works with SSL
+I'm proud to release version 1.4.11 of Roundup which fixes a number bugs
+and closes a potential security hole.
+
+All tracker maintainers must read the upgrading documentation to make sure
+the hole is fixed in their tracker.
+
+Other changes in this release:
+
+- Generic class editor may now restore retired items (thanks Ralf Hemmecke)
+- Fix security hole allowing user permission escalation (thanks Ralf
+ Schlatterbeck)
+- More SSL fixes. SSL wants the underlying socket non-blocking. So we
+ don't call socket.setdefaulttimeout in case of SSL. This apparently
+ never raises a WantReadError from SSL.
+ This also fixes a case where a WantReadError is raised and apparently
+ the bytes already read are dropped (seems the WantReadError is really
+ an error, not just an indication to retry).
+- Correct initial- and end-handshakes for SSL
+- Update FAQ to mention infinite redirects with pathological settings of
+ the tracker->web variable. Closes issue2537286, thanks to "stuidge"
+ for reporting.
+- Fix some format errors in italian translation file
+- Some bugs issue classifiers were causing database lookup errors
+- Fix security-problem: If user hasn't permission on a message (notably
+ files and content properties) and is on the nosy list, the content was
+ sent via email. We now check that user has permission on the message
+ content and files properties. Thanks to Intevation for funding this
+ fix.
+- Fix traceback on .../msgN/ url, this requests the file content and for
+ apache mod_wsgi produced a traceback because the mime type is None for
+ messages, fixes issue2550586, thanks to Thomas Arendsen Hein for
+ reporting and to Intevation for funding the fix.
+- Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
+ Thanks to Thomas Arendsen Hein for reporting and to Intevation for
+ funding the fix.
+- Add documentation for migrating to the Register permission and
+ fix mailgw to use Register permission, fixes issue2550599
+- Fix styling of calendar to make it more usable, fixes issue2550608
+- Fix typo in email section of user guide, fixes issue2550607
+- Fix WSGI response code (thanks Peter Pöml)
+- Fix linking of an existing item to a newly created item, e.g.
+ edit action in web template is name="issue-1@link@msg" value="msg1"
+ would trigger a traceback about an unbound variable.
+ Add new regression test for this case. May be related to (now closed)
+ issue1177477. Thanks to Intevation for funding the fix.
+- Clean up all the places where role processing occurs. This is now in a
+ central place in hyperdb.Class and is used consistently throughout.
+ This also means now a template can override the way role processing
+ occurs (e.g. for elaborate permission schemes). Thanks to intevation
+ for funding the change.
+- Fix issue2550606 (german translation bug) "an hour" is only used in
+ the context "in an hour" or "an hour ago" which translates to german
+ "in einer Stunde" or "vor einer Stunde". So "an hour" is translated
+ "einer Stunde" (which sounds wrong at first). Also note that date.py
+ already has a comment saying "XXX this is internationally broken" --
+ but at least there's a workaround for german :-) Thanks to Chris
+ (radioking) for reporting.
If you're upgrading from an older version of Roundup you *must* follow
the "Software Upgrade" guidelines given in the maintenance documentation.
diff --git a/doc/upgrading.txt b/doc/upgrading.txt
index a5fe4e86c8a08da813ff4865e201b18a886ee4f4..cd864817f312e1dbcff2e4b9facb51736a2d7bba 100644 (file)
--- a/doc/upgrading.txt
+++ b/doc/upgrading.txt
Migrating from 1.4.x to 1.4.11
==============================
+Close poential security hole
+----------------------------
+
+If your tracker has untrusted users you should examine its ``schema.py``
+file and look for the section granting the "Edit" permission to your users.
+This should look something like::
+
+ p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+ description="User is allowed to edit their own user details")
+
+and should be modified to restrict the list of properties they are allowed
+to edit by adding the ``properties=`` section like::
+
+ p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+ properties=('username', 'password', 'address', 'realname', 'phone',
+ 'organisation', 'alternate_addresses', 'queries', 'timezone'),
+ description="User is allowed to edit their own user details")
+
+Most importantly the "roles" property should not be editable - thus not
+appear in that list of properties.
+
+
Grant the "Register" permission to the Anonymous role
-----------------------------------------------------
index 09ff2551fccbdedecbe12e53970486d172e031dd..a0060a9586173edde5e0d35907233f7270dd9c06 100644 (file)
description="User is allowed to view their own user details")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+ properties=('username', 'password', 'address', 'realname', 'phone',
+ 'organisation', 'alternate_addresses', 'queries', 'timezone'),
description="User is allowed to edit their own user details")
db.security.addPermissionToRole('User', p)
index 3333e55ca4aa7ba3e0fe4e2851a695102f982f4d..603eaae69847e38271f50b325708465466ce915f 100644 (file)
description="User is allowed to view their own user details")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+ properties=('username', 'password', 'address', 'alternate_addresses'),
description="User is allowed to edit their own user details")
db.security.addPermissionToRole('User', p)