Commit 44d91a2b authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

Merge remote-tracking branch 'origin/plone_hotfix_20120830'

parents f7299d37 8c4427ab
Plone hotfix, 2012-11-06
========================
This hotfix fixes multiple vulnerabilities in Plone,
including arbitrary code execution and privilege escalation.
This hotfix should be applied to the following versions of Plone:
# Plone 4.3 <= 4.3a2
* Plone 4.2 <= 4.2.2
* Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, and 4.1
The hotfix is officially supported by the Plone security team on the
following versions of Plone in accordance with the Plone
`version support policy`_: 3.3.6, 4.1.6, and 4.2.2.
However it has also received some testing on older versions of Plone.
The fixes included here will be incorporated into subsequent releases of Plone,
so Plone 4.2.3, 4.3b1 and greater should not require this hotfix.
Installation
============
Installation instructions can be found at
http://plone.org/products/plone-hotfix/releases/20121106
Q&A
===
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
A: On startup, the hotfix will log a number of messages to the Zope event log
that look like this::
2012-11-05 21:15:26 INFO Products.PloneHotfix20121106 Applied registerConfiglet patch
The exact list of patches attempted depends on the version of Plone.
If a patch is attempted but fails, it will be logged as a warning that says
"Could not apply". This may indicate that you have a non-standard Plone
installation.
Q: How can I report problems installing the patch?
A: Contact the Plone security team at security@plone.org, or visit the
#plone channel on freenode IRC.
Q: How can I report other potential security vulnerabilities?
A: Please email the security team at security@plone.org rather than discussing
potential security issues publicly.
.. _`version support policy`: http://plone.org/support/version-support-policy
import logging
logger = logging.getLogger(__name__)
hotfixes = (
'setHeader',
'allow_module',
'get_request_var_or_attr',
'safe_html', # XXX: must be merged into our PortalTransforms product
'ftp',
'atat',
)
# Apply the fixes
for hotfix in hotfixes:
try:
__import__('%s.%s' % (__name__, hotfix))
logger.info('Applied %s patch', hotfix)
except Exception:
logger.warn('Could not apply %s', hotfix)
logger.info('Hotfix installed')
import AccessControl.SecurityInfo
from AccessControl.SecurityInfo import ModuleSecurityInfo
def allow_module(module_name):
"""Allow a module and all its contents to be used from a
restricted Script. The argument module_name may be a simple
or dotted module or package name. Note that if a package
path is given, all modules in the path will be available."""
ModuleSecurityInfo(module_name).setDefaultAccess(1)
ModuleSecurityInfo(module_name).declarePrivate('allow_module')
dot = module_name.find('.')
while dot > 0:
ModuleSecurityInfo(module_name[:dot]).setDefaultAccess(1)
ModuleSecurityInfo(module_name).declarePrivate('allow_module')
dot = module_name.find('.', dot + 1)
AccessControl.allow_module = AccessControl.SecurityInfo.allow_module = allow_module
try:
from zope.traversing import namespace
except ImportError:
from zope.app.traversing import namespace
try:
from zope.traversing.interfaces import TraversalError
except ImportError:
from zope.exceptions import NotFoundError as TraversalError
old_traverse = namespace.view.traverse
def traverse(self, name, ignored):
if not name:
raise TraversalError(self.context, name)
return old_traverse(self, name, ignored)
namespace.view.traverse = traverse
from AccessControl import getSecurityManager
from zExceptions import Unauthorized
from OFS.ObjectManager import ObjectManager
old_manage_FTPlist = ObjectManager.manage_FTPlist
def manage_FTPlist(self, REQUEST):
if not getSecurityManager().checkPermission('Access contents information', self):
raise Unauthorized('Not allowed to access contents.')
ObjectManager.manage_FTPlist = manage_FTPlist
\ No newline at end of file
from App import Undo
Undo.UndoSupport.get_request_var_or_attr__roles__ = ()
This diff is collapsed.
import re
from ZPublisher import HTTPResponse
_CRLF = re.compile(r'[\r\n]')
HTTPResponse._CRLF = _CRLF
if getattr(HTTPResponse, '_scrubHeader', None) is None:
def _scrubHeader(name, value):
return ''.join(_CRLF.split(str(name))), ''.join(_CRLF.split(str(value)))
HTTPResponse.HTTPResponse.__old_setHeader = HTTPResponse.HTTPResponse.setHeader
def setHeader(self, name, value, *args, **kwargs):
name, value = _scrubHeader(name, value)
return self.__old_setHeader(name, value, *args, **kwargs)
HTTPResponse.HTTPResponse.setHeader = setHeader
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment