[Zope-CMF] CMF security patches in Products.PloneHotfix20121106
David Glick (Plone)
david.glick at plone.org
Fri Nov 9 19:45:15 UTC 2012
On 11/9/12 11:33 AM, Charlie Clark wrote:
> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
> <david.glick at plone.org>:
>
>> We should have informed you earlier. There are a lot of tasks
>> associated with preparing a hotfix (and this one in particular
>> covered many vulnerabilities), and it got missed. I apologize.
>> In the future, what's the best place to report possible CMF security
>> issues? zope-cmf Launchpad?
>
> Hi David,
>
> thanks for the quick response. I would definitely say just post to the
> list to see if we're still alive. Can you say which versions of CMF
> are affected?
>
Probably any that use getToolByName. The problem is that getToolByName
can be used to get attributes that wouldn't normally be accessible from
RestrictedPython. The hotfix adds some checks to make sure that the
object that was found provides IPersistent or IItem (or is explicitly
named in the tool registry), so that it is at least much harder to break
out of the sandbox.
Unfortunately this breaks non-persistent non-item dummy objects used in
tests unless they are made to provide one of the interfaces that is checked.
David
More information about the Zope-CMF
mailing list