[Zope-CMF] cmf-tests - OK: 8
This is the summary for test reports received on the cmf-tests list between 2012-11-08 00:00:00 UTC and 2012-11-09 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received CMF-2.2 Zope-2.12 Python-2.6.8 : Linux CMF-2.2 Zope-2.13 Python-2.6.8 : Linux CMF-2.3 Zope-2.13 Python-2.6.8 : Linux CMF-2.3 Zope-trunk Python-2.6.8 : Linux CMF-trunk Zope-2.13 Python-2.6.8 : Linux CMF-trunk Zope-2.13 Python-2.7.3 : Linux CMF-trunk Zope-trunk Python-2.6.8 : Linux CMF-trunk Zope-trunk Python-2.7.3 : Linux Non-OK results -- ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
On 11/9/12 11:33 AM, Charlie Clark wrote: Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) : We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? Hi David, thanks for the quick response. I would definitely say just post to the list to see if we're still alive. Can you say which versions of CMF are affected? Probably any that use getToolByName. The problem is that getToolByName can be used to get attributes that wouldn't normally be accessible from RestrictedPython. The hotfix adds some checks to make sure that the object that was found provides IPersistent or IItem (or is explicitly named in the tool registry), so that it is at least much harder to break out of the sandbox. Unfortunately this breaks non-persistent non-item dummy objects used in tests unless they are made to provide one of the interfaces that is checked. David ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) : We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? Hi David, thanks for the quick response. I would definitely say just post to the list to see if we're still alive. Can you say which versions of CMF are affected? Charlie -- Charlie Clark Managing Director Clark Consulting & Research German Office Kronenstr. 27a Düsseldorf D- 40217 Tel: +49-211-600-3657 Mobile: +49-178-782-6226 ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
On 11/9/12 11:23 AM, Charlie Clark wrote: Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl : Hi all, I don't recall any information being provided to the CMF developers about CMF fixes in the most recent Plone Hotfix: http://plone.org/products/plone-hotfix/releases/20121106 For example, there's a monkey patch to make sure getToolByName only returns valid tool objects and nothing else, see the attached file. I'm not sure if there's an oversight of not forwarding this information to us or if it was determined this fix is not relevant for the CMF. Would any list member who also works on Plone have an insight? Thanks! jens I got this back from David Glick after asking secur...@plone.org: """ Thanks. We haven't had a chance to start applying the patches in the hotfix back to where they really belong, but we'll do so soon. Note that for the time being it should be possible to apply the Plone hotfix to pure CMF sites as well to patch this issue. """ Still no wiser as to why we weren't informed. We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad? David ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: [Zope-CMF] CMF security patches in Products.PloneHotfix20121106
Am 09.11.2012, 17:02 Uhr, schrieb Jens Vagelpohl : Hi all, I don't recall any information being provided to the CMF developers about CMF fixes in the most recent Plone Hotfix: http://plone.org/products/plone-hotfix/releases/20121106 For example, there's a monkey patch to make sure getToolByName only returns valid tool objects and nothing else, see the attached file. I'm not sure if there's an oversight of not forwarding this information to us or if it was determined this fix is not relevant for the CMF. Would any list member who also works on Plone have an insight? Thanks! jens I got this back from David Glick after asking secur...@plone.org: """ Thanks. We haven't had a chance to start applying the patches in the hotfix back to where they really belong, but we'll do so soon. Note that for the time being it should be possible to apply the Plone hotfix to pure CMF sites as well to patch this issue. """ Still no wiser as to why we weren't informed. Charlie -- Charlie Clark Managing Director Clark Consulting & Research German Office Kronenstr. 27a Düsseldorf D- 40217 Tel: +49-211-600-3657 Mobile: +49-178-782-6226 ___ Zope-CMF maillist - Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
[Zope-CMF] CMF security patches in Products.PloneHotfix20121106
Hi all,
I don't recall any information being provided to the CMF developers about CMF
fixes in the most recent Plone Hotfix:
http://plone.org/products/plone-hotfix/releases/20121106
For example, there's a monkey patch to make sure getToolByName only returns
valid tool objects and nothing else, see the attached file.
I'm not sure if there's an oversight of not forwarding this information to us
or if it was determined this fix is not relevant for the CMF. Would any list
member who also works on Plone have an insight?
Thanks!
jens
from Products.CMFCore import utils
try:
from Products.CMFPlone.FactoryTool import FauxArchetypeTool
HAS_FAT = True
except ImportError:
FauxArchetypeTool = None
HAS_FAT = False
from persistent.interfaces import IPersistent
try:
from OFS.interfaces import IItem
except ImportError:
IItem = IPersistent
try:
tool_registry = utils._tool_interface_registry
except AttributeError:
tool_registry = {}
gtbn = utils.getToolByName
def wrapped_getToolByName(obj, name, default=utils._marker):
result = gtbn(obj, name, default)
if IPersistent.providedBy(result) or \
IItem.providedBy(result) or \
name in tool_registry or \
(HAS_FAT and isinstance(result, FauxArchetypeTool)) or \
result is utils._marker or \
result is default:
return result
else:
raise TypeError("Object found is not a portal tool (%s)" % (name,))
return result
utils.getToolByName = wrapped_getToolByName
try:
import Products.CMFPlone.utils
Products.CMFPlone.utils.getToolByName = wrapped_getToolByName
except ImportError:
pass
smime.p7s
Description: S/MIME cryptographic signature
___
Zope-CMF maillist - Zope-CMF@zope.org
https://mail.zope.org/mailman/listinfo/zope-cmf
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
