Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history 
* prevent untrusted access to `AccessControl.userfolder.UserFolder.data`

* fix: capitalization

---------

Co-authored-by: Tres Seaver <tseaver@palladion.com>
  • Loading branch information
@d-maurer @tseaver
d-maurer and tseaver authored Nov 3, 2024
1 parent 5e846cb commit 98f6125
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGES.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ For changes before version 3.0, see ``HISTORY.rst``.
7.2 (unreleased)
----------------

- Prevent untrusted access to ``AccessControl.userfolder.UserFolder.data``
(fixes `GHSA-g5vw-3h65-2q3v <https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v>`_).


7.1 (2024-10-10)
----------------
Expand Down
1 change: 1 addition & 0 deletions src/AccessControl/userfolder.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -376,6 +376,7 @@ class UserFolder(BasicUserFolder):
zmi_show_add_dialog = False
id = 'acl_users'
title = 'User Folder'
data__roles__ = () # prevent untrusted access to ``data``.

def __init__(self):
self.data = PersistentMapping()
Expand Down

0 comments on commit 98f6125

Please sign in to comment.