-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/13/2012 05:39 AM, johannes raggam wrote: > since most users are on the Zope mailing list (2323 users), i think > it's better to post there (and on Zope-dev). > > https://mail.zope.org/mailman/listinfo/zope > > johannes > > On 11/09/2012 08:45 PM, David Glick (Plone) wrote: >> On 11/9/12 11:33 AM, Charlie Clark wrote: >>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) >>> <david.gl...@plone.org>: >>> >>>> We should have informed you earlier. There are a lot of tasks >>>> associated with preparing a hotfix (and this one in particular >>>> covered many vulnerabilities), and it got missed. I apologize. >>>> In the future, what's the best place to report possible CMF >>>> security issues? zope-cmf Launchpad? >>> >>> Hi David, >>> >>> thanks for the quick response. I would definitely say just post to >>> the list to see if we're still alive. Can you say which versions >>> of CMF are affected? >>> >> Probably any that use getToolByName. The problem is that >> getToolByName can be used to get attributes that wouldn't normally >> be accessible from RestrictedPython. The hotfix adds some checks to >> make sure that the object that was found provides IPersistent or >> IItem (or is explicitly named in the tool registry), so that it is >> at least much harder to break out of the sandbox. > >> Unfortunately this breaks non-persistent non-item dummy objects used >> in tests unless they are made to provide one of the interfaces that >> is checked. David
This issue is now in Launchpad: https://bugs.launchpad.net/zope-cmf/+bug/1079221 Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlClpJoACgkQ+gerLs4ltQ64VgCfTpBXkwd25rME7uaBpcqSCxjq zY4An3YA809lsfF+obLxx/djzLA+EfdC =GB3G -----END PGP SIGNATURE----- _______________________________________________ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests