From 98f6125542a3de1836a2c0c202fa5226cb679a02 Mon Sep 17 00:00:00 2001 From: Dieter Maurer Date: Sun, 3 Nov 2024 12:46:05 +0100 Subject: [PATCH] Merge commit from fork * prevent untrusted access to `AccessControl.userfolder.UserFolder.data` * fix: capitalization --------- Co-authored-by: Tres Seaver --- CHANGES.rst | 3 +++ src/AccessControl/userfolder.py | 1 + 2 files changed, 4 insertions(+) diff --git a/CHANGES.rst b/CHANGES.rst index d61906f..049fc0d 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -6,6 +6,9 @@ For changes before version 3.0, see ``HISTORY.rst``. 7.2 (unreleased) ---------------- +- Prevent untrusted access to ``AccessControl.userfolder.UserFolder.data`` + (fixes `GHSA-g5vw-3h65-2q3v `_). + 7.1 (2024-10-10) ---------------- diff --git a/src/AccessControl/userfolder.py b/src/AccessControl/userfolder.py index 8405ef5..e8d4450 100644 --- a/src/AccessControl/userfolder.py +++ b/src/AccessControl/userfolder.py @@ -376,6 +376,7 @@ class UserFolder(BasicUserFolder): zmi_show_add_dialog = False id = 'acl_users' title = 'User Folder' + data__roles__ = () # prevent untrusted access to ``data``. def __init__(self): self.data = PersistentMapping()