From 6a3b55f7aa4668f0af26fbdce547ca72a2d035e8 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Wed, 5 Sep 2012 11:15:44 +0400 Subject: [PATCH] www/moinmoin: fix CVE-2012-4404, wrong processing of group ACLs Signed-off-by: Eygene Ryabinkin --- www/moinmoin/Makefile | 1 + www/moinmoin/files/patch-cve-2012-4404 | 137 +++++++++++++++++++++++++++++++++ 2 files changed, 138 insertions(+) create mode 100644 www/moinmoin/files/patch-cve-2012-4404 diff --git a/www/moinmoin/Makefile b/www/moinmoin/Makefile index 352142a..e216dc5 100644 --- a/www/moinmoin/Makefile +++ b/www/moinmoin/Makefile @@ -7,6 +7,7 @@ PORTNAME= moinmoin PORTVERSION= 1.9.4 +PORTREVISION= 1 CATEGORIES= www python MASTER_SITES= http://static.moinmo.in/files/ DISTNAME= moin-${PORTVERSION} diff --git a/www/moinmoin/files/patch-cve-2012-4404 b/www/moinmoin/files/patch-cve-2012-4404 new file mode 100644 index 0000000..b8f7ea6 --- /dev/null +++ b/www/moinmoin/files/patch-cve-2012-4404 @@ -0,0 +1,137 @@ +Obtained-from: http://hg.moinmo.in/moin/1.9/raw-rev/7b9f39289e16 + +# HG changeset patch +# User Thomas Waldmann +# Date 1346679035 -7200 +# Node ID 7b9f39289e16b37344480025f191d8b64480c834 +# Parent 0e58d9bcd3bd8ab3a89506d66bc0c8df85c16d2c +security fix: fix virtual group bug in ACL evaluation, add a test for it + +affected moin releases: all 1.9 releases up to and including 1.9.4 + +moin releases < 1.9 are NOT affected. + +You can find out the moin version by looking at SystemInfo page or at the +output of <> macro. + +Issue description: + +We have code that checks whether a group has special members "All" or "Known" +or "Trusted", but there was a bug that checked whether these are present in +the group NAME (not, as intended, in the group MEMBERS). + +a) If you have group MEMBERS like "All" or "Known" or "Trusted", they did not +work until now, but will start working with this changeset. + +E.g. SomeGroup: + * JoeDoe + * Trusted + +SomeGroup will now (correctly) include JoeDoe and also all trusted users. + +It (erroneously) contained only "JoeDoe" and "Trusted" (as a username, not +as a virtual group) before. + +b) If you have group NAMES containing "All" or "Known" or "Trusted", they behaved +wrong until now (they erroneously included All/Known/Trusted users even if +you did not list them as members), but will start working correctly with this +changeset. + +E.g. AllFriendsGroup: + * JoeDoe + +AllFriendsGroup will now (correctly) include only JoeDoe. +It (erroneously) contained all users (including JoeDoe) before. + +E.g. MyTrustedFriendsGroup: + * JoeDoe + +MyTrustedFriendsGroup will now (correctly) include only JoeDoe. +It (erroneously) contained all trusted users and JoeDoe before. + +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/__init__.py +--- MoinMoin/security/__init__.py Fri Aug 03 17:36:02 2012 +0200 ++++ MoinMoin/security/__init__.py Mon Sep 03 15:30:35 2012 +0200 +@@ -320,11 +320,12 @@ + handler = getattr(self, "_special_"+entry, None) + allowed = handler(request, name, dowhat, rightsdict) + elif entry in groups: +- if name in groups[entry]: ++ this_group = groups[entry] ++ if name in this_group: + allowed = rightsdict.get(dowhat) + else: + for special in self.special_users: +- if special in entry: ++ if special in this_group: + handler = getattr(self, "_special_" + special, None) + allowed = handler(request, name, dowhat, rightsdict) + break # order of self.special_users is important +diff -r 0e58d9bcd3bd -r 7b9f39289e16 MoinMoin/security/_tests/test_security.py +--- MoinMoin/security/_tests/test_security.py Fri Aug 03 17:36:02 2012 +0200 ++++ MoinMoin/security/_tests/test_security.py Mon Sep 03 15:30:35 2012 +0200 +@@ -16,10 +16,11 @@ + acliter = security.ACLStringIterator + AccessControlList = security.AccessControlList + ++from MoinMoin.datastruct import ConfigGroups + from MoinMoin.PageEditor import PageEditor + from MoinMoin.user import User + +-from MoinMoin._tests import become_trusted, create_page, nuke_page ++from MoinMoin._tests import wikiconfig, become_trusted, create_page, nuke_page + + class TestACLStringIterator(object): + +@@ -248,6 +249,50 @@ + assert not acl.may(self.request, user, right) + + ++class TestGroupACL(object): ++ ++ class Config(wikiconfig.Config): ++ def groups(self, request): ++ groups = { ++ u'PGroup': frozenset([u'Antony', u'Beatrice', ]), ++ u'AGroup': frozenset([u'All', ]), ++ # note: the next line is a INTENDED misnomer, there is "All" in ++ # the group NAME, but not in the group members. This makes ++ # sure that a bug that erroneously checked "in groupname" (instead ++ # of "in groupmembers") does not reappear. ++ u'AllGroup': frozenset([]), # note: intended misnomer ++ } ++ return ConfigGroups(request, groups) ++ ++ def testApplyACLByGroup(self): ++ """ security: applying acl by group name""" ++ # This acl string... ++ acl_rights = [ ++ "PGroup,AllGroup:read,write,admin " ++ "AGroup:read " ++ ] ++ acl = security.AccessControlList(self.request.cfg, acl_rights) ++ ++ # Should apply these rights: ++ users = ( ++ # user, rights ++ ('Antony', ('read', 'write', 'admin', )), # in PGroup ++ ('Beatrice', ('read', 'write', 'admin', )), # in PGroup ++ ('Charles', ('read', )), # virtually in AGroup ++ ) ++ ++ # Check rights ++ for user, may in users: ++ mayNot = [right for right in self.request.cfg.acl_rights_valid ++ if right not in may] ++ # User should have these rights... ++ for right in may: ++ assert acl.may(self.request, user, right) ++ # But NOT these: ++ for right in mayNot: ++ assert not acl.may(self.request, user, right) ++ ++ + class TestPageAcls(object): + """ security: real-life access control list on pages testing + """ + -- 1.7.11.3