Commit ebb897ec authored by Arnaud Fontaine's avatar Arnaud Fontaine

zope4: Remove old PloneHotfix20121106.

parent 00d51b1c
Plone hotfix, 2012-11-06
========================
This hotfix fixes multiple vulnerabilities in Plone,
including arbitrary code execution and privilege escalation.
This hotfix should be applied to the following versions of Plone:
# Plone 4.3 <= 4.3a2
* Plone 4.2 <= 4.2.2
* Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, and 4.1
The hotfix is officially supported by the Plone security team on the
following versions of Plone in accordance with the Plone
`version support policy`_: 3.3.6, 4.1.6, and 4.2.2.
However it has also received some testing on older versions of Plone.
The fixes included here will be incorporated into subsequent releases of Plone,
so Plone 4.2.3, 4.3b1 and greater should not require this hotfix.
Installation
============
Installation instructions can be found at
http://plone.org/products/plone-hotfix/releases/20121106
Q&A
===
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
A: On startup, the hotfix will log a number of messages to the Zope event log
that look like this::
2012-11-05 21:15:26 INFO Products.PloneHotfix20121106 Applied registerConfiglet patch
The exact list of patches attempted depends on the version of Plone.
If a patch is attempted but fails, it will be logged as a warning that says
"Could not apply". This may indicate that you have a non-standard Plone
installation.
Q: How can I report problems installing the patch?
A: Contact the Plone security team at security@plone.org, or visit the
#plone channel on freenode IRC.
Q: How can I report other potential security vulnerabilities?
A: Please email the security team at security@plone.org rather than discussing
potential security issues publicly.
.. _`version support policy`: http://plone.org/support/version-support-policy
import logging
logger = logging.getLogger(__name__)
hotfixes = (
'setHeader',
'allow_module',
'get_request_var_or_attr',
'safe_html', # XXX: must be merged into our PortalTransforms product
'ftp',
'atat',
)
# Apply the fixes
for hotfix in hotfixes:
try:
__import__('%s.%s' % (__name__, hotfix))
logger.info('Applied %s patch', hotfix)
except Exception:
logger.warn('Could not apply %s', hotfix)
logger.info('Hotfix installed')
import AccessControl
AccessControl.allow_module.__roles__ = ()
try:
from zope.traversing import namespace
except ImportError:
from zope.app.traversing import namespace
try:
from zope.traversing.interfaces import TraversalError
except ImportError:
from zope.exceptions import NotFoundError as TraversalError
old_traverse = namespace.view.traverse
def traverse(self, name, ignored):
if not name:
raise TraversalError(self.context, name)
return old_traverse(self, name, ignored)
namespace.view.traverse = traverse
from AccessControl import getSecurityManager
from zExceptions import Unauthorized
from OFS.ObjectManager import ObjectManager
ObjectManager.__old_manage_FTPlist = ObjectManager.manage_FTPlist
def manage_FTPlist(self, REQUEST):
"""Returns a directory listing consisting of a tuple of
(id,stat) tuples, marshaled to a string. Note, the listing it
should include '..' if there is a Folder above the current
one.
In the case of non-foldoid objects it should return a single
tuple (id,stat) representing itself."""
if not getSecurityManager().checkPermission('Access contents information', self):
raise Unauthorized('Not allowed to access contents.')
return self.__old_manage_FTPlist(REQUEST)
ObjectManager.manage_FTPlist = manage_FTPlist
from App import Undo
Undo.UndoSupport.get_request_var_or_attr__roles__ = ()
This diff is collapsed.
from builtins import str
import re
from ZPublisher import HTTPResponse
_CRLF = re.compile(r'[\r\n]')
HTTPResponse._CRLF = _CRLF
if getattr(HTTPResponse, '_scrubHeader', None) is None:
def _scrubHeader(name, value):
return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value)))
HTTPResponse.HTTPResponse.__old_setHeader = HTTPResponse.HTTPResponse.setHeader
def setHeader(self, name, value, *args, **kwargs):
name, value = _scrubHeader(name, value)
return self.__old_setHeader(name, value, *args, **kwargs)
HTTPResponse.HTTPResponse.setHeader = setHeader
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment