Skip to content

Commit 98f6125

Browse files
d-maurertseaver
d-maurer
and
tseaver
authored
Merge commit from fork
* prevent untrusted access to `AccessControl.userfolder.UserFolder.data` * fix: capitalization --------- Co-authored-by: Tres Seaver <tseaver@palladion.com>
1 parent 5e846cb commit 98f6125

File tree

2 files changed

+4
-0
lines changed

2 files changed

+4
-0
lines changed

CHANGES.rst

+3
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ For changes before version 3.0, see ``HISTORY.rst``.
66
7.2 (unreleased)
77
----------------
88

9+
- Prevent untrusted access to ``AccessControl.userfolder.UserFolder.data``
10+
(fixes `GHSA-g5vw-3h65-2q3v <https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v>`_).
11+
912

1013
7.1 (2024-10-10)
1114
----------------

src/AccessControl/userfolder.py

+1
Original file line numberDiff line numberDiff line change
@@ -376,6 +376,7 @@ class UserFolder(BasicUserFolder):
376376
zmi_show_add_dialog = False
377377
id = 'acl_users'
378378
title = 'User Folder'
379+
data__roles__ = () # prevent untrusted access to ``data``.
379380

380381
def __init__(self):
381382
self.data = PersistentMapping()

0 commit comments

Comments
 (0)