[Zope-CMF] CMF security patches in Products.PloneHotfix20121106
johannes raggam
raggam-nl at adm.at
Tue Nov 13 10:39:25 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
since most users are on the Zope mailing list (2323 users), i think
it's better to post there (and on Zope-dev).
https://mail.zope.org/mailman/listinfo/zope
johannes
On 11/09/2012 08:45 PM, David Glick (Plone) wrote:
> On 11/9/12 11:33 AM, Charlie Clark wrote:
>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
>> <david.glick at plone.org>:
>>
>>> We should have informed you earlier. There are a lot of tasks
>>> associated with preparing a hotfix (and this one in particular
>>> covered many vulnerabilities), and it got missed. I apologize.
>>> In the future, what's the best place to report possible CMF
>>> security issues? zope-cmf Launchpad?
>>
>> Hi David,
>>
>> thanks for the quick response. I would definitely say just post
>> to the list to see if we're still alive. Can you say which
>> versions of CMF are affected?
>>
> Probably any that use getToolByName. The problem is that
> getToolByName can be used to get attributes that wouldn't normally
> be accessible from RestrictedPython. The hotfix adds some checks
> to make sure that the object that was found provides IPersistent
> or IItem (or is explicitly named in the tool registry), so that it
> is at least much harder to break out of the sandbox.
>
> Unfortunately this breaks non-persistent non-item dummy objects
> used in tests unless they are made to provide one of the
> interfaces that is checked. David
> _______________________________________________ Zope-CMF maillist -
> Zope-CMF at zope.org https://mail.zope.org/mailman/listinfo/zope-cmf
>
> See https://bugs.launchpad.net/zope-cmf/ for bug reports and
> feature requests
- --
programmatic web development
di(fh) johannes raggam / thet
python plone zope development
mail: office at programmatic.pro
web: http://programmatic.pro
http://bluedynamics.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCiI10ACgkQW4mNMQxDgAf6ZwCgygr6rsCMbKC5FqDDOzzTQRv6
qasAnAxWuJAenqLPZShoHCrGcGeO5Uz+
=y8U8
-----END PGP SIGNATURE-----
More information about the Zope-CMF
mailing list