Plone Security Hotfix 20210518

[mauritsvanrees]

The changes from the May 18 hotfix should be merged to core to be available in 5.2 and 6.0.

Anyone could make PRs for this. The internal repository of the hotfix has tests for each though, so it may be good if someone from the @plone/security-team creates the PR. But if someone else starts a PR, we can always copy tests to it later. If you create a PR, please ask me for a review. Help is certainly welcome!

Remote Code Execution via traversal in expressions

• Description: https://plone.org/security/hotfix/20210518/remote-code-execution-via-traversal-in-expressions
• Hotfix file: expressions.py
• Fixed upstream in Zope 4.6 and 5.2
• view/__name__ is allowed as special case in the hotfix, but not in Zope. This is used in plone.app.caching, and maybe other places, so those should be fixed. Actually, in a template from a browser view this is no problem: trusted traverse is used, which happily accepts this. If you customise the template via portal_view_customizations, you get a 404. But replacing __name__ just leads to a similar error in a different part of the customized template, using the main_template master macro. So basically, we would only need to fix templates within skin directories. But those should be turned into browser view templates anyway (looking at you, CMFEditions, and three skin directories in CMFPlone).
• Since Zope is too strict now, we should copy the expressions patch to CMFPlone 5.2.x. PR Add the expressions patch from Products.PloneHotfix20210518. [5.2] #3284
• CMFPlone master should probably also get the fix for now, but I hope we can remove it before a final release. PR Add the expressions patch from Products.PloneHotfix20210518. [6.0] #3285
• coredev 5.2 should use Zope 4.6.2. PR: Use Zope 4.6.2 on Plone 5.2 buildout.coredev#725
• coredev 6.0 should use Zope 5.2 PR Use zope 5.2.1 buildout.coredev#724

Writing arbitrary files via docutils and Python Script

• Description: https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script
• Hotfix file: transforms.py
• Fix Products.PortalTransforms master. PR: REST transform: ignore warnings and stylesheet keyword arguments. Products.PortalTransforms#45
• Released Products.PortalTransforms 3.1.11

Information disclosures: mostly installation logs

• Description: https://plone.org/security/hotfix/20210518/various-information-disclosures
• Hotfix file: genericsetup.py, pas.py, qi.py, xmlrpc_dump_instance.py
• All have already had releases before the hotfix.
• 5.2: Double check if the QuickInstallerTool wrapper in CMFPlone needs the extra protection from qi.py.

Stored XSS from file upload (svg, html)

• Description: https://plone.org/security/hotfix/20210518/stored-xss-from-file-upload-svg-html
• Hotfix file:namedfile.py
• Fix plone.namedfile master. PR: Prevent stored XSS from file upload (svg, html). plone.namedfile#99
• Released plone.namedfile 5.5.0

Reflected XSS in various spots

• Description: https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots
• Hotfix file: skinnable.py, propertymanager.py, publishing.py, pas.py
• Already fixed and released in CMFCore and Products.PluggableAuthService
• 5.2: propertymanager.py and publishing.py need to be merged into Products.CMFPlone:patches/publishing.py. PR: Removed the docstring from methods to avoid publishing them [5.2] #3281
• 6.0: propertymanager.py and publishing.py need to be merged into Products.CMFPlone:patches/publishing.py. PR: Removed the docstring from methods to avoid publishing them [6.0] #3282

XSS vulnerability in CMFDiffTool

• Description: https://plone.org/security/hotfix/20210518/xss-vulnerability-in-cmfdifftool
• Hotfix file: difftool.py
• Products.CMFDiffTool master. PR
• Released Products.CMFDiffTool 3.3.3

Stored XSS from user fullname

• Description: https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname
• Hotfix file: pa_users.py
• This is a workaround. It could be merged into:
• plone.app.users 2.6.x.
• plone.app.users master.
• Better would be to fix it in javascript, where innerText is used. That was not feasible in a hotfix though. I created an issue in mockup.
• 5.2: mockup 3.x and plone.staticresources 1.x
• 6.0: mockup master and plone.staticresources master
• Or maybe it can be fixed in plone.app.vocabularies, which I think is where the users vocabulary comes from, by calling the safe html transform on fullnames. Ah, no, this is in plone.app.content.browser.vocabulary. So we fix it there, together with the fix for the folder contents at the bottom of this comment:
• 5.2: plone.app.content 3.x. PR: Fixed stored XSS in folder contents and user fullname. [3.x] plone.app.content#229
• 6.0: plone.app.content master. PR: Fixed stored XSS in folder contents and user fullname. [master] plone.app.content#230
• Released plone.app.content 3.8.8 and 4.0.0a3.

Blind SSRF via feedparser accessing an internal URL

• Description: https://plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-url
• Hotfix file: portlets.py
• This fix only allows http and https, not file urls. In the future it would be nice to have some central code that you can check before requesting a url, similar to isURLInPortal.
• 5.2: plone.app.portlets 4.4.x. PR Only allow http and https urls in RSS portlet. [4.4.x/5.2] plone.app.portlets#149
• 6.0: plone.app.portlets master. PR Only allow http and https urls in RSS portlet. [master / 6.0] plone.app.portlets#150
• Released plone.app.portlets 4.4.7 and 5.0.0a2

Server Side Request Forgery via event ical URL

• Description: https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url
• Hotfix file: event.py
• This fix only allows http and https, not file urls. In the future it would be nice to have some central code that you can check before requesting a url, similar to isURLInPortal.
• 5.2: plone.app.event 3.2.x. PR: Do not allow file: protocol in ical url. [3.2.x] plone.app.event#335
• 6.0: plone.app.event master. PR: Do not allow file: protocol in ical url. [master] plone.app.event#336
• Released plone.app.event 3.2.12 and 4.0.0a4

Server Side Request Forgery via lxml parser

• Description: https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser
• Hotfix file: modeleditor.py, supermodel.py, theming.py. But the modeleditor and supermodel fix were already in releases from November. They were included in the hotfix to make these similar fixes available for older versions.
• 5.2: plone.app.dexterity 2.6.x was already fixed last year in 2.6.8.
• 6.0: plone.app.dexterity master: has the same fix.
• plone.supermodel master already fixes last year in 1.6.3.
• 5.2: plone.app.theming 4.1.x. PR: Hotfix 20210518 [4.1.x] plone.app.theming#197
• 6.0: plone.app.theming master PR: Hotfix 20210518 [master] plone.app.theming#198
• Released plone.app.theming 4.1.7 and 5.0.0a1

Stored XSS in folder contents

• Description: https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents
• Hotfix file: content.py
• 5.2: plone.app.content 3.x. PR: Fixed stored XSS in folder contents and user fullname. [3.x] plone.app.content#229
• 6.0: plone.app.content master. PR: Fixed stored XSS in folder contents and user fullname. [master] plone.app.content#230
• Released plone.app.content 3.8.8 and 4.0.0a3.

[mauritsvanrees]

As discussed in the security team today, I have created a public repository with the hotfix code:
https://github.com/plone/Products.PloneHotfix20210518

This includes the tests. Now people outside of the security team can create PRs for the related packages. You are very welcome to do so. Please assign me as reviewer of the PR when you do so.

[mauritsvanrees]

All PRs are merged.
All releases are made, except for Products.CMFPlone.