From 52ca12afbf96621ffa225133529bae0a6a70a446 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Tue, 28 Feb 2012 03:56:44 -0500 Subject: Fix security bug caused by __iter__ checking on strings under Python 3 --- CHANGES.txt | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 2c3d2c3a8..84de3c642 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -9,6 +9,33 @@ Bug Fixes the documentation as an API method was a mistake, and it has been renamed to something private. +- Bug in ACL authentication checking on Python 3: the ``permits`` and + ``principals_allowed_by_permission`` method of + ``pyramid.authorization.ACLAuthenticationPolicy`` could return an + inappropriate ``True`` value when a permission on an ACL was a string + rather than a sequence, and then only if the ACL permission string was a + substring of the ``permission`` value passed to the function. + + This bug effects no Pyramid deployment under Python 2; it is a bug that + exists only in deployments running on Python 3. It has existed since + Pyramid 1.3a1. + + This bug was due to the presence of an ``__iter__`` attribute on strings + under Python 3 which is not present under strings in Python 2. I've been + assured by multiple Python cognoscenti that this difference in behavior + between Python 2 and Python 3 makes complete sense. Iterating over a + string character by character is of course something everyone wants to do + as often as possible and it would just be too darn slow to need to call a + method in order to turn a string into a list. Announcing that a string is + iterable by adding an ``__iter__`` to it simply canonizes its amazing, + speedy usefulness! So lest you think that Python 3's addition of an + ``__iter__`` to strings was a useless, pointless, harmful, + developer-hostile change, you're clearly mistaken, and quite possibly + brain-damaged. I feel for you. It's clearly much better to have a bug + that goes uncaught for nine alphas and one beta and almost leads to a + latent security hole that might have led to indiscriminate data + disclosure. + 1.3b1 (2012-02-26) ================== -- cgit v1.2.3