You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The changes from the May 18 hotfix should be merged to core to be available in 5.2 and 6.0.
Anyone could make PRs for this. The internal repository of the hotfix has tests for each though, so it may be good if someone from the @plone/security-team creates the PR. But if someone else starts a PR, we can always copy tests to it later. If you create a PR, please ask me for a review. Help is certainly welcome!
Remote Code Execution via traversal in expressions
view/__name__ is allowed as special case in the hotfix, but not in Zope. This is used in plone.app.caching, and maybe other places, so those should be fixed. Actually, in a template from a browser view this is no problem: trusted traverse is used, which happily accepts this. If you customise the template via portal_view_customizations, you get a 404. But replacing __name__ just leads to a similar error in a different part of the customized template, using the main_template master macro. So basically, we would only need to fix templates within skin directories. But those should be turned into browser view templates anyway (looking at you, CMFEditions, and three skin directories in CMFPlone).
Better would be to fix it in javascript, where innerText is used. That was not feasible in a hotfix though. I created an issue in mockup.
5.2: mockup 3.x and plone.staticresources 1.x
6.0: mockup master and plone.staticresources master
Or maybe it can be fixed in plone.app.vocabularies, which I think is where the users vocabulary comes from, by calling the safe html transform on fullnames. Ah, no, this is in plone.app.content.browser.vocabulary. So we fix it there, together with the fix for the folder contents at the bottom of this comment:
This fix only allows http and https, not file urls. In the future it would be nice to have some central code that you can check before requesting a url, similar to isURLInPortal.
This fix only allows http and https, not file urls. In the future it would be nice to have some central code that you can check before requesting a url, similar to isURLInPortal.
Hotfix file: modeleditor.py, supermodel.py, theming.py. But the modeleditor and supermodel fix were already in releases from November. They were included in the hotfix to make these similar fixes available for older versions.
5.2: plone.app.dexterity 2.6.x was already fixed last year in 2.6.8.
6.0: plone.app.dexterity master: has the same fix.
plone.supermodel master already fixes last year in 1.6.3.
This includes the tests. Now people outside of the security team can create PRs for the related packages. You are very welcome to do so. Please assign me as reviewer of the PR when you do so.
The changes from the May 18 hotfix should be merged to core to be available in 5.2 and 6.0.
Anyone could make PRs for this. The internal repository of the hotfix has tests for each though, so it may be good if someone from the @plone/security-team creates the PR. But if someone else starts a PR, we can always copy tests to it later. If you create a PR, please ask me for a review. Help is certainly welcome!
Remote Code Execution via traversal in expressions
expressions.py
view/__name__
is allowed as special case in the hotfix, but not in Zope. This is used inplone.app.caching
, and maybe other places, so those should be fixed. Actually, in a template from a browser view this is no problem: trusted traverse is used, which happily accepts this. If you customise the template viaportal_view_customizations
, you get a 404. But replacing__name__
just leads to a similar error in a different part of the customized template, using the main_template master macro. So basically, we would only need to fix templates within skin directories. But those should be turned into browser view templates anyway (looking at you, CMFEditions, and three skin directories in CMFPlone).Writing arbitrary files via docutils and Python Script
transforms.py
Products.PortalTransforms
master. PR: REST transform: ignore warnings and stylesheet keyword arguments. Products.PortalTransforms#45Information disclosures: mostly installation logs
genericsetup.py
,pas.py
,qi.py
,xmlrpc_dump_instance.py
qi.py
.Stored XSS from file upload (svg, html)
namedfile.py
plone.namedfile
master. PR: Prevent stored XSS from file upload (svg, html). plone.namedfile#99Reflected XSS in various spots
skinnable.py
,propertymanager.py
,publishing.py
,pas.py
propertymanager.py
andpublishing.py
need to be merged intoProducts.CMFPlone:patches/publishing.py
. PR: Removed the docstring from methods to avoid publishing them [5.2] #3281propertymanager.py
andpublishing.py
need to be merged intoProducts.CMFPlone:patches/publishing.py
. PR: Removed the docstring from methods to avoid publishing them [6.0] #3282XSS vulnerability in CMFDiffTool
difftool.py
Stored XSS from user fullname
pa_users.py
plone.app.users
2.6.x.plone.app.users
master.innerText
is used. That was not feasible in a hotfix though. I created an issue inmockup
.mockup
3.x andplone.staticresources
1.xmockup
master andplone.staticresources
masterplone.app.vocabularies
, which I think is where the users vocabulary comes from, by calling the safe html transform on fullnames. Ah, no, this is inplone.app.content.browser.vocabulary
. So we fix it there, together with the fix for the folder contents at the bottom of this comment:plone.app.content
3.x. PR: Fixed stored XSS in folder contents and user fullname. [3.x] plone.app.content#229plone.app.content
master. PR: Fixed stored XSS in folder contents and user fullname. [master] plone.app.content#230plone.app.content
3.8.8 and 4.0.0a3.Blind SSRF via feedparser accessing an internal URL
portlets.py
isURLInPortal
.plone.app.portlets
4.4.x. PR Only allow http and https urls in RSS portlet. [4.4.x/5.2] plone.app.portlets#149plone.app.portlets
master. PR Only allow http and https urls in RSS portlet. [master / 6.0] plone.app.portlets#150Server Side Request Forgery via event ical URL
event.py
isURLInPortal
.plone.app.event
3.2.x. PR: Do not allow file: protocol in ical url. [3.2.x] plone.app.event#335plone.app.event
master. PR: Do not allow file: protocol in ical url. [master] plone.app.event#336plone.app.event
3.2.12 and 4.0.0a4Server Side Request Forgery via lxml parser
modeleditor.py
,supermodel.py
,theming.py
. But the modeleditor and supermodel fix were already in releases from November. They were included in the hotfix to make these similar fixes available for older versions.plone.app.dexterity
2.6.x was already fixed last year in 2.6.8.plone.app.dexterity
master: has the same fix.plone.supermodel
master already fixes last year in 1.6.3.plone.app.theming
4.1.x. PR: Hotfix 20210518 [4.1.x] plone.app.theming#197plone.app.theming
master PR: Hotfix 20210518 [master] plone.app.theming#198plone.app.theming
4.1.7 and 5.0.0a1Stored XSS in folder contents
content.py
plone.app.content
3.x. PR: Fixed stored XSS in folder contents and user fullname. [3.x] plone.app.content#229plone.app.content
master. PR: Fixed stored XSS in folder contents and user fullname. [master] plone.app.content#230The text was updated successfully, but these errors were encountered: