Add Plone 20121106 hotfixes for ERP5

product/PloneHotfix20121106/README.txt

+Plone hotfix, 2012-11-06
+========================
+
+This hotfix fixes multiple vulnerabilities in Plone,
+including arbitrary code execution and privilege escalation.
+
+This hotfix should be applied to the following versions of Plone:
+
+# Plone 4.3 <= 4.3a2
+* Plone 4.2 <= 4.2.2
+* Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, and 4.1
+
+The hotfix is officially supported by the Plone security team on the
+following versions of Plone in accordance with the Plone
+`version support policy`_: 3.3.6, 4.1.6, and 4.2.2. 
+However it has also received some testing on older versions of Plone.
+The fixes included here will be incorporated into subsequent releases of Plone,
+so Plone 4.2.3, 4.3b1 and greater should not require this hotfix.
+
+
+Installation
+============
+
+Installation instructions can be found at
+http://plone.org/products/plone-hotfix/releases/20121106
+
+
+Q&A
+===
+
+Q: How can I confirm that the hotfix is installed correctly and my site is protected?
+  A: On startup, the hotfix will log a number of messages to the Zope event log
+  that look like this::
+
+    2012-11-05 21:15:26 INFO Products.PloneHotfix20121106 Applied registerConfiglet patch
+
+  The exact list of patches attempted depends on the version of Plone.
+  If a patch is attempted but fails, it will be logged as a warning that says
+  "Could not apply". This may indicate that you have a non-standard Plone
+  installation.
+
+Q: How can I report problems installing the patch?
+  A: Contact the Plone security team at security@plone.org, or visit the
+  #plone channel on freenode IRC.
+
+Q: How can I report other potential security vulnerabilities?
+  A: Please email the security team at security@plone.org rather than discussing
+  potential security issues publicly.
+
+
+.. _`version support policy`: http://plone.org/support/version-support-policy

product/PloneHotfix20121106/__init__.py

+import logging
+logger = logging.getLogger(__name__)
+
+hotfixes = (
+    'setHeader',
+    'allow_module',
+    'get_request_var_or_attr',
+    'safe_html', # XXX: must be merged into our PortalTransforms product
+    'ftp',
+    'atat',
+    )
+
+# Apply the fixes
+for hotfix in hotfixes:
+    try:
+        __import__('%s.%s' % (__name__, hotfix))
+        logger.info('Applied %s patch', hotfix)
+    except Exception:
+        logger.warn('Could not apply %s', hotfix)
+logger.info('Hotfix installed')

product/PloneHotfix20121106/allow_module.py

+import AccessControl.SecurityInfo
+from AccessControl.SecurityInfo import ModuleSecurityInfo
+
+
+def allow_module(module_name):
+    """Allow a module and all its contents to be used from a
+    restricted Script. The argument module_name may be a simple
+    or dotted module or package name. Note that if a package
+    path is given, all modules in the path will be available."""
+    ModuleSecurityInfo(module_name).setDefaultAccess(1)
+    ModuleSecurityInfo(module_name).declarePrivate('allow_module')
+    dot = module_name.find('.')
+    while dot > 0:
+        ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
+        ModuleSecurityInfo(module_name).declarePrivate('allow_module')
+        dot = module_name.find('.', dot + 1)
+AccessControl.allow_module = AccessControl.SecurityInfo.allow_module = allow_module

product/PloneHotfix20121106/atat.py

+try:
+    from zope.traversing import namespace
+except ImportError:
+    from zope.app.traversing import namespace
+try:
+    from zope.traversing.interfaces import TraversalError
+except ImportError:
+    from zope.exceptions import NotFoundError as TraversalError
+
+old_traverse = namespace.view.traverse
+def traverse(self, name, ignored):
+	if not name:
+		raise TraversalError(self.context, name)
+	return old_traverse(self, name, ignored)
+namespace.view.traverse = traverse

product/PloneHotfix20121106/ftp.py

+from AccessControl import getSecurityManager
+from zExceptions import Unauthorized
+from OFS.ObjectManager import ObjectManager
+
+old_manage_FTPlist = ObjectManager.manage_FTPlist
+def manage_FTPlist(self, REQUEST):
+	if not getSecurityManager().checkPermission('Access contents information', self):
+		raise Unauthorized('Not allowed to access contents.')
+ObjectManager.manage_FTPlist = manage_FTPlist
\ No newline at end of file

product/PloneHotfix20121106/get_request_var_or_attr.py

+from App import Undo
+Undo.UndoSupport.get_request_var_or_attr__roles__ = ()

product/PloneHotfix20121106/setHeader.py

+import re
+from ZPublisher import HTTPResponse
+
+_CRLF = re.compile(r'[\r\n]')
+HTTPResponse._CRLF = _CRLF
+
+
+if getattr(HTTPResponse, '_scrubHeader', None) is None:
+    def _scrubHeader(name, value):
+        return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value)))
+
+    HTTPResponse.HTTPResponse.__old_setHeader = HTTPResponse.HTTPResponse.setHeader
+
+    def setHeader(self, name, value, *args, **kwargs):
+        name, value = _scrubHeader(name, value)
+        return self.__old_setHeader(name, value, *args, **kwargs)
+    HTTPResponse.HTTPResponse.setHeader = setHeader