Fix security bug caused by __iter__ checking on strings under Python 3

1 files changed, 27 insertions, 0 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 2c3d2c3a8..84de3c642 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -9,6 +9,33 @@ Bug Fixes
   the documentation as an API method was a mistake, and it has been renamed
   to something private.
 
+- Bug in ACL authentication checking on Python 3: the ``permits`` and
+  ``principals_allowed_by_permission`` method of
+  ``pyramid.authorization.ACLAuthenticationPolicy`` could return an
+  inappropriate ``True`` value when a permission on an ACL was a string
+  rather than a sequence, and then only if the ACL permission string was a
+  substring of the ``permission`` value passed to the function.
+
+  This bug effects no Pyramid deployment under Python 2; it is a bug that
+  exists only in deployments running on Python 3.  It has existed since
+  Pyramid 1.3a1.
+
+  This bug was due to the presence of an ``__iter__`` attribute on strings
+  under Python 3 which is not present under strings in Python 2.  I've been
+  assured by multiple Python cognoscenti that this difference in behavior
+  between Python 2 and Python 3 makes complete sense.  Iterating over a
+  string character by character is of course something everyone wants to do
+  as often as possible and it would just be too darn slow to need to call a
+  method in order to turn a string into a list.  Announcing that a string is
+  iterable by adding an ``__iter__`` to it simply canonizes its amazing,
+  speedy usefulness!  So lest you think that Python 3's addition of an
+  ``__iter__`` to strings was a useless, pointless, harmful,
+  developer-hostile change, you're clearly mistaken, and quite possibly
+  brain-damaged.  I feel for you.  It's clearly much better to have a bug
+  that goes uncaught for nine alphas and one beta and almost leads to a
+  latent security hole that might have led to indiscriminate data
+  disclosure.
+
 1.3b1 (2012-02-26)
 ==================