[Zope-Checkins] SVN: Zope/branches/2.12/ Prep 2.12.22 release with CVE-2010-1104 fix.

Tres Seaver tseaver at palladion.com
Wed Jan 18 21:13:12 UTC 2012 

Log message for revision 124073:
  Prep 2.12.22 release with CVE-2010-1104 fix.

Changed:
  U   Zope/branches/2.12/doc/CHANGES.rst
  U   Zope/branches/2.12/setup.py
  U   Zope/branches/2.12/src/OFS/SimpleItem.py
  U   Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt

-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.12/doc/CHANGES.rst	2012-01-18 21:13:08 UTC (rev 124072)
+++ Zope/branches/2.12/doc/CHANGES.rst	2012-01-18 21:13:11 UTC (rev 124073)
@@ -5,9 +5,11 @@
 Change information for previous versions of Zope can be found at
 http://docs.zope.org/zope2/releases/.
 
-2.12.22 (unreleased)
+2.12.22 (2012-01-18)
 --------------------
 
+- Prevent a cross-site-scripting attack against the default standard
+  error message handling.  (CVE-2010-1104).
 
 2.12.21 (2011-12-12)
 --------------------

Modified: Zope/branches/2.12/setup.py
===================================================================
--- Zope/branches/2.12/setup.py	2012-01-18 21:13:08 UTC (rev 124072)
+++ Zope/branches/2.12/setup.py	2012-01-18 21:13:11 UTC (rev 124073)
@@ -16,7 +16,7 @@
 from setuptools import setup, find_packages, Extension
 
 setup(name='Zope2',
-    version='2.12.22dev',
+    version='2.12.22',
     url='http://www.zope.org',
     license='ZPL 2.1',
     description='Zope2 application server / web framework',

Modified: Zope/branches/2.12/src/OFS/SimpleItem.py
===================================================================
--- Zope/branches/2.12/src/OFS/SimpleItem.py	2012-01-18 21:13:08 UTC (rev 124072)
+++ Zope/branches/2.12/src/OFS/SimpleItem.py	2012-01-18 21:13:11 UTC (rev 124073)
@@ -49,6 +49,7 @@
 from ExtensionClass import Base
 from Persistence import Persistent
 from webdav.Resource import Resource
+from webdav.xmltools import escape as xml_escape
 from zExceptions import Redirect
 from zExceptions import upgradeException
 from zExceptions.ExceptionFormatter import format_exception
@@ -245,7 +246,7 @@
                           'error_value': error_value,
                           'error_tb': error_tb,
                           'error_traceback': error_tb,
-                          'error_message': error_message,
+                          'error_message': xml_escape(str(error_message)),
                           'error_log_url': error_log_url}
 
                 if getattr(aq_base(s), 'isDocTemp', 0):

Modified: Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt
===================================================================
--- Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt	2012-01-18 21:13:08 UTC (rev 124072)
+++ Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt	2012-01-18 21:13:11 UTC (rev 124073)
@@ -191,9 +191,9 @@
     Traceback (most recent call last):
     ...
     HTTPError: HTTP Error 404: Not Found
-    >>> '<p><strong>Resource not found</strong></p>' in browser.contents
+    >>> '&lt;p&gt;&lt;strong&gt;Resource not found&lt;/strong&gt;&lt;/p&gt;' in browser.contents
     True
-    >>> '<p><b>Resource:</b> index_html</p>' in browser.contents
+    >>> '&lt;p&gt;&lt;b&gt;Resource:&lt;/b&gt; index_html&lt;/p&gt;' in browser.contents
     True
 
     >>> browser.handleErrors = False

More information about the Zope-Checkins mailing list