Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kristopher Ruzic
erp5
Commits
44d91a2b
Commit
44d91a2b
authored
Nov 07, 2012
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'origin/plone_hotfix_20120830'
parents
f7299d37
8c4427ab
Changes
8
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
2515 additions
and
0 deletions
+2515
-0
product/PloneHotfix20121106/README.txt
product/PloneHotfix20121106/README.txt
+51
-0
product/PloneHotfix20121106/__init__.py
product/PloneHotfix20121106/__init__.py
+20
-0
product/PloneHotfix20121106/allow_module.py
product/PloneHotfix20121106/allow_module.py
+17
-0
product/PloneHotfix20121106/atat.py
product/PloneHotfix20121106/atat.py
+15
-0
product/PloneHotfix20121106/ftp.py
product/PloneHotfix20121106/ftp.py
+9
-0
product/PloneHotfix20121106/get_request_var_or_attr.py
product/PloneHotfix20121106/get_request_var_or_attr.py
+2
-0
product/PloneHotfix20121106/safe_html.py
product/PloneHotfix20121106/safe_html.py
+2384
-0
product/PloneHotfix20121106/setHeader.py
product/PloneHotfix20121106/setHeader.py
+17
-0
No files found.
product/PloneHotfix20121106/README.txt
0 → 100644
View file @
44d91a2b
Plone hotfix, 2012-11-06
========================
This hotfix fixes multiple vulnerabilities in Plone,
including arbitrary code execution and privilege escalation.
This hotfix should be applied to the following versions of Plone:
# Plone 4.3 <= 4.3a2
* Plone 4.2 <= 4.2.2
* Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, and 4.1
The hotfix is officially supported by the Plone security team on the
following versions of Plone in accordance with the Plone
`version support policy`_: 3.3.6, 4.1.6, and 4.2.2.
However it has also received some testing on older versions of Plone.
The fixes included here will be incorporated into subsequent releases of Plone,
so Plone 4.2.3, 4.3b1 and greater should not require this hotfix.
Installation
============
Installation instructions can be found at
http://plone.org/products/plone-hotfix/releases/20121106
Q&A
===
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
A: On startup, the hotfix will log a number of messages to the Zope event log
that look like this::
2012-11-05 21:15:26 INFO Products.PloneHotfix20121106 Applied registerConfiglet patch
The exact list of patches attempted depends on the version of Plone.
If a patch is attempted but fails, it will be logged as a warning that says
"Could not apply". This may indicate that you have a non-standard Plone
installation.
Q: How can I report problems installing the patch?
A: Contact the Plone security team at security@plone.org, or visit the
#plone channel on freenode IRC.
Q: How can I report other potential security vulnerabilities?
A: Please email the security team at security@plone.org rather than discussing
potential security issues publicly.
.. _`version support policy`: http://plone.org/support/version-support-policy
product/PloneHotfix20121106/__init__.py
0 → 100644
View file @
44d91a2b
import
logging
logger
=
logging
.
getLogger
(
__name__
)
hotfixes
=
(
'setHeader'
,
'allow_module'
,
'get_request_var_or_attr'
,
'safe_html'
,
# XXX: must be merged into our PortalTransforms product
'ftp'
,
'atat'
,
)
# Apply the fixes
for
hotfix
in
hotfixes
:
try
:
__import__
(
'%s.%s'
%
(
__name__
,
hotfix
))
logger
.
info
(
'Applied %s patch'
,
hotfix
)
except
Exception
:
logger
.
warn
(
'Could not apply %s'
,
hotfix
)
logger
.
info
(
'Hotfix installed'
)
product/PloneHotfix20121106/allow_module.py
0 → 100644
View file @
44d91a2b
import
AccessControl.SecurityInfo
from
AccessControl.SecurityInfo
import
ModuleSecurityInfo
def
allow_module
(
module_name
):
"""Allow a module and all its contents to be used from a
restricted Script. The argument module_name may be a simple
or dotted module or package name. Note that if a package
path is given, all modules in the path will be available."""
ModuleSecurityInfo
(
module_name
).
setDefaultAccess
(
1
)
ModuleSecurityInfo
(
module_name
).
declarePrivate
(
'allow_module'
)
dot
=
module_name
.
find
(
'.'
)
while
dot
>
0
:
ModuleSecurityInfo
(
module_name
[:
dot
]).
setDefaultAccess
(
1
)
ModuleSecurityInfo
(
module_name
).
declarePrivate
(
'allow_module'
)
dot
=
module_name
.
find
(
'.'
,
dot
+
1
)
AccessControl
.
allow_module
=
AccessControl
.
SecurityInfo
.
allow_module
=
allow_module
product/PloneHotfix20121106/atat.py
0 → 100644
View file @
44d91a2b
try
:
from
zope.traversing
import
namespace
except
ImportError
:
from
zope.app.traversing
import
namespace
try
:
from
zope.traversing.interfaces
import
TraversalError
except
ImportError
:
from
zope.exceptions
import
NotFoundError
as
TraversalError
old_traverse
=
namespace
.
view
.
traverse
def
traverse
(
self
,
name
,
ignored
):
if
not
name
:
raise
TraversalError
(
self
.
context
,
name
)
return
old_traverse
(
self
,
name
,
ignored
)
namespace
.
view
.
traverse
=
traverse
product/PloneHotfix20121106/ftp.py
0 → 100644
View file @
44d91a2b
from
AccessControl
import
getSecurityManager
from
zExceptions
import
Unauthorized
from
OFS.ObjectManager
import
ObjectManager
old_manage_FTPlist
=
ObjectManager
.
manage_FTPlist
def
manage_FTPlist
(
self
,
REQUEST
):
if
not
getSecurityManager
().
checkPermission
(
'Access contents information'
,
self
):
raise
Unauthorized
(
'Not allowed to access contents.'
)
ObjectManager
.
manage_FTPlist
=
manage_FTPlist
\ No newline at end of file
product/PloneHotfix20121106/get_request_var_or_attr.py
0 → 100644
View file @
44d91a2b
from
App
import
Undo
Undo
.
UndoSupport
.
get_request_var_or_attr__roles__
=
()
product/PloneHotfix20121106/safe_html.py
0 → 100644
View file @
44d91a2b
This diff is collapsed.
Click to expand it.
product/PloneHotfix20121106/setHeader.py
0 → 100644
View file @
44d91a2b
import
re
from
ZPublisher
import
HTTPResponse
_CRLF
=
re
.
compile
(
r'[\r\n]'
)
HTTPResponse
.
_CRLF
=
_CRLF
if
getattr
(
HTTPResponse
,
'_scrubHeader'
,
None
)
is
None
:
def
_scrubHeader
(
name
,
value
):
return
''
.
join
(
_CRLF
.
split
(
str
(
name
))),
''
.
join
(
_CRLF
.
split
(
str
(
value
)))
HTTPResponse
.
HTTPResponse
.
__old_setHeader
=
HTTPResponse
.
HTTPResponse
.
setHeader
def
setHeader
(
self
,
name
,
value
,
*
args
,
**
kwargs
):
name
,
value
=
_scrubHeader
(
name
,
value
)
return
self
.
__old_setHeader
(
name
,
value
,
*
args
,
**
kwargs
)
HTTPResponse
.
HTTPResponse
.
setHeader
=
setHeader
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment