summaryrefslogtreecommitdiff
path: root/CHANGES.txt
diff options
context:
space:
mode:
authorChris McDonough <chrism@plope.com>2012-02-28 03:56:44 -0500
committerChris McDonough <chrism@plope.com>2012-02-28 03:56:44 -0500
commit52ca12afbf96621ffa225133529bae0a6a70a446 (patch)
tree5cc64fedf88ea71bbb851263fe79ec2e98e2d3f9 /CHANGES.txt
parent1ca9703d8b815db21e9011b5d5187d18704152fe (diff)
downloadpyramid-52ca12afbf96621ffa225133529bae0a6a70a446.tar.gz
pyramid-52ca12afbf96621ffa225133529bae0a6a70a446.tar.bz2
pyramid-52ca12afbf96621ffa225133529bae0a6a70a446.zip
Fix security bug caused by __iter__ checking on strings under Python 3
Diffstat (limited to 'CHANGES.txt')
-rw-r--r--CHANGES.txt27
1 files changed, 27 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 2c3d2c3a8..84de3c642 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -9,6 +9,33 @@ Bug Fixes
the documentation as an API method was a mistake, and it has been renamed
to something private.
+- Bug in ACL authentication checking on Python 3: the ``permits`` and
+ ``principals_allowed_by_permission`` method of
+ ``pyramid.authorization.ACLAuthenticationPolicy`` could return an
+ inappropriate ``True`` value when a permission on an ACL was a string
+ rather than a sequence, and then only if the ACL permission string was a
+ substring of the ``permission`` value passed to the function.
+
+ This bug effects no Pyramid deployment under Python 2; it is a bug that
+ exists only in deployments running on Python 3. It has existed since
+ Pyramid 1.3a1.
+
+ This bug was due to the presence of an ``__iter__`` attribute on strings
+ under Python 3 which is not present under strings in Python 2. I've been
+ assured by multiple Python cognoscenti that this difference in behavior
+ between Python 2 and Python 3 makes complete sense. Iterating over a
+ string character by character is of course something everyone wants to do
+ as often as possible and it would just be too darn slow to need to call a
+ method in order to turn a string into a list. Announcing that a string is
+ iterable by adding an ``__iter__`` to it simply canonizes its amazing,
+ speedy usefulness! So lest you think that Python 3's addition of an
+ ``__iter__`` to strings was a useless, pointless, harmful,
+ developer-hostile change, you're clearly mistaken, and quite possibly
+ brain-damaged. I feel for you. It's clearly much better to have a bug
+ that goes uncaught for nine alphas and one beta and almost leads to a
+ latent security hole that might have led to indiscriminate data
+ disclosure.
+
1.3b1 (2012-02-26)
==================