[Zope-Checkins] SVN: Zope/branches/2.13/ Prep 2.13.12 release with CVE-2010-1104 fix.

Tres Seaver tseaver at palladion.com
Wed Jan 18 21:13:16 UTC 2012 

Log message for revision 124074:
  Prep 2.13.12 release with CVE-2010-1104 fix.

Changed:
  U   Zope/branches/2.13/doc/CHANGES.rst
  U   Zope/branches/2.13/setup.py
  U   Zope/branches/2.13/src/OFS/SimpleItem.py
  U   Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt

-=-
Modified: Zope/branches/2.13/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.13/doc/CHANGES.rst	2012-01-18 21:13:11 UTC (rev 124073)
+++ Zope/branches/2.13/doc/CHANGES.rst	2012-01-18 21:13:16 UTC (rev 124074)
@@ -5,9 +5,12 @@
 Change information for previous versions of Zope can be found at
 http://docs.zope.org/zope2/releases/.
 
-2.13.12 (unreleased)
+2.13.12 (2012-01-18)
 --------------------
 
+- Prevent a cross-site-scripting attack against the default standard
+  error message handling.  (CVE-2010-1104).
+
 - Use ``in`` operator instead of deprecated ``has_key`` method (which
   is not implemented by ``OFS.ObjectManager``). This fixes an issue
   with WebDAV requests for skin objects.

Modified: Zope/branches/2.13/setup.py
===================================================================
--- Zope/branches/2.13/setup.py	2012-01-18 21:13:11 UTC (rev 124073)
+++ Zope/branches/2.13/setup.py	2012-01-18 21:13:16 UTC (rev 124074)
@@ -23,7 +23,7 @@
 
 
 setup(name='Zope2',
-    version='2.13.12dev',
+    version='2.13.12',
     url='http://zope2.zope.org',
     license='ZPL 2.1',
     description='Zope2 application server / web framework',

Modified: Zope/branches/2.13/src/OFS/SimpleItem.py
===================================================================
--- Zope/branches/2.13/src/OFS/SimpleItem.py	2012-01-18 21:13:11 UTC (rev 124073)
+++ Zope/branches/2.13/src/OFS/SimpleItem.py	2012-01-18 21:13:16 UTC (rev 124074)
@@ -45,6 +45,7 @@
 from ExtensionClass import Base
 from Persistence import Persistent
 from webdav.Resource import Resource
+from webdav.xmltools import escape as xml_escape
 from zExceptions import Redirect
 from zExceptions.ExceptionFormatter import format_exception
 from zope.interface import implements
@@ -232,7 +233,7 @@
                           'error_value': error_value,
                           'error_tb': error_tb,
                           'error_traceback': error_tb,
-                          'error_message': error_message,
+                          'error_message': xml_escape(str(error_message)),
                           'error_log_url': error_log_url}
 
                 if getattr(aq_base(s), 'isDocTemp', 0):

Modified: Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt
===================================================================
--- Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt	2012-01-18 21:13:11 UTC (rev 124073)
+++ Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt	2012-01-18 21:13:16 UTC (rev 124074)
@@ -203,9 +203,9 @@
     Traceback (most recent call last):
     ...
     HTTPError: HTTP Error 404: Not Found
-    >>> '<p><strong>Resource not found</strong></p>' in browser.contents
+    >>> '&lt;p&gt;&lt;strong&gt;Resource not found&lt;/strong&gt;&lt;/p&gt;' in browser.contents
     True
-    >>> '<p><b>Resource:</b> index_html</p>' in browser.contents
+    >>> '&lt;p&gt;&lt;b&gt;Resource:&lt;/b&gt; index_html&lt;/p&gt;' in browser.contents
     True
 
     >>> browser.handleErrors = False

More information about the Zope-Checkins mailing list