[Zope-CMF] CMF security patches in Products.PloneHotfix20121106

Tres Seaver tseaver at palladion.com
Fri Nov 16 02:27:51 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2012 05:39 AM, johannes raggam wrote:
> since most users are on the Zope mailing list (2323 users), i think 
> it's better to post there (and on Zope-dev).
> 
> https://mail.zope.org/mailman/listinfo/zope
> 
> johannes
> 
> On 11/09/2012 08:45 PM, David Glick (Plone) wrote:
>> On 11/9/12 11:33 AM, Charlie Clark wrote:
>>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) 
>>> <david.glick at plone.org>:
>>> 
>>>> We should have informed you earlier. There are a lot of tasks 
>>>> associated with preparing a hotfix (and this one in particular 
>>>> covered many vulnerabilities), and it got missed. I apologize. 
>>>> In the future, what's the best place to report possible CMF 
>>>> security issues? zope-cmf Launchpad?
>>> 
>>> Hi David,
>>> 
>>> thanks for the quick response. I would definitely say just post to
>>> the list to see if we're still alive. Can you say which versions
>>> of CMF are affected?
>>> 
>> Probably any that use getToolByName. The problem is that 
>> getToolByName can be used to get attributes that wouldn't normally 
>> be accessible from RestrictedPython. The hotfix adds some checks to
>> make sure that the object that was found provides IPersistent or
>> IItem (or is explicitly named in the tool registry), so that it is
>> at least much harder to break out of the sandbox.
> 
>> Unfortunately this breaks non-persistent non-item dummy objects used
>> in tests unless they are made to provide one of the interfaces that
>> is checked. David

This issue is now in Launchpad:

 https://bugs.launchpad.net/zope-cmf/+bug/1079221


Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlClpJoACgkQ+gerLs4ltQ64VgCfTpBXkwd25rME7uaBpcqSCxjq
zY4An3YA809lsfF+obLxx/djzLA+EfdC
=GB3G
-----END PGP SIGNATURE-----



More information about the Zope-CMF mailing list