Beta 7 -- Critical security update for b5 and b6 users!
Mark Ramm
users. Please update all production apps form b5 or b6 to beta 7
immediately. We're doing a Beta 7 rather than an RC1 because of the
importance of this issue, and our desire to make absolutely sure that
we've solidified all of this before doing a release candidate.
Fortunately the upgrade from b6 should have no backwards incompatible
changes, and should require no changes to your project
B5 users should update to b6 and then b7. B6 users should be able to
do a simple easy_install -U as described in the install instructions:
(tg2env)$ easy_install -U -i
http://www.turbogears.org/2.0/downloads/current/index tg.devtools
(instructions:http://turbogears.org/2.0/docs/main/DownloadInstall.html )
The check for controller wide security was not working properly, and
we discovered that not enforcing controller level security
restrictions on subcontrollers.We take this very seriously even though
it happened in a beta, and we are taking steps to assure that it won't
happen again. It turns out that we moved some tests that would have
prevented this into another package, and that left one small thing in
TG which was no longer tested, and of course that's where our problem
was. We've added several tests to make sure this can't happen again,
and I've changed the way that we check controller authorization to be
less fragile.
In order to make sure that the rapid development of our security stuff
has not created any other issues, and in order to review all existing
authorization/authentication code we'll be holding a security sprint
this weekend. We will be adding additional integration tests, and
doing a full audit of all security related packages on Sunday.
There was also another issue that kept the __before__ method used by
our controller security system from running properly. Special thanks
goes out to Alberto Valverde for contributing to fixes to both these
critical issues.
We've also added some more tests to the quickstart. In particular
there are tests for the security system built right into the
quickstarted project so users can easily see how to assure that their
security measures are working the way they expect, and we have some
additional helpers for testing authorization rules coming in the next
release.
--
Mark Ramm-Christensen
email: mark at compoundthinking dot com
blog: www.compoundthinking.com/blog