Log message for revision 124073: Prep 2.12.22 release with CVE-2010-1104 fix.
Changed: U Zope/branches/2.12/doc/CHANGES.rst U Zope/branches/2.12/setup.py U Zope/branches/2.12/src/OFS/SimpleItem.py U Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt -=- Modified: Zope/branches/2.12/doc/CHANGES.rst =================================================================== --- Zope/branches/2.12/doc/CHANGES.rst 2012-01-18 21:13:08 UTC (rev 124072) +++ Zope/branches/2.12/doc/CHANGES.rst 2012-01-18 21:13:11 UTC (rev 124073) @@ -5,9 +5,11 @@ Change information for previous versions of Zope can be found at http://docs.zope.org/zope2/releases/. -2.12.22 (unreleased) +2.12.22 (2012-01-18) -------------------- +- Prevent a cross-site-scripting attack against the default standard + error message handling. (CVE-2010-1104). 2.12.21 (2011-12-12) -------------------- Modified: Zope/branches/2.12/setup.py =================================================================== --- Zope/branches/2.12/setup.py 2012-01-18 21:13:08 UTC (rev 124072) +++ Zope/branches/2.12/setup.py 2012-01-18 21:13:11 UTC (rev 124073) @@ -16,7 +16,7 @@ from setuptools import setup, find_packages, Extension setup(name='Zope2', - version='2.12.22dev', + version='2.12.22', url='http://www.zope.org', license='ZPL 2.1', description='Zope2 application server / web framework', Modified: Zope/branches/2.12/src/OFS/SimpleItem.py =================================================================== --- Zope/branches/2.12/src/OFS/SimpleItem.py 2012-01-18 21:13:08 UTC (rev 124072) +++ Zope/branches/2.12/src/OFS/SimpleItem.py 2012-01-18 21:13:11 UTC (rev 124073) @@ -49,6 +49,7 @@ from ExtensionClass import Base from Persistence import Persistent from webdav.Resource import Resource +from webdav.xmltools import escape as xml_escape from zExceptions import Redirect from zExceptions import upgradeException from zExceptions.ExceptionFormatter import format_exception @@ -245,7 +246,7 @@ 'error_value': error_value, 'error_tb': error_tb, 'error_traceback': error_tb, - 'error_message': error_message, + 'error_message': xml_escape(str(error_message)), 'error_log_url': error_log_url} if getattr(aq_base(s), 'isDocTemp', 0): Modified: Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt =================================================================== --- Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt 2012-01-18 21:13:08 UTC (rev 124072) +++ Zope/branches/2.12/src/ZPublisher/tests/exception_handling.txt 2012-01-18 21:13:11 UTC (rev 124073) @@ -191,9 +191,9 @@ Traceback (most recent call last): ... HTTPError: HTTP Error 404: Not Found - >>> '<p><strong>Resource not found</strong></p>' in browser.contents + >>> '<p><strong>Resource not found</strong></p>' in browser.contents True - >>> '<p><b>Resource:</b> index_html</p>' in browser.contents + >>> '<p><b>Resource:</b> index_html</p>' in browser.contents True >>> browser.handleErrors = False _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins