On 11/9/12 11:33 AM, Charlie Clark wrote:
Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
<[email protected]>:
We should have informed you earlier. There are a lot of tasks
associated with preparing a hotfix (and this one in particular
covered many vulnerabilities), and it got missed. I apologize.
In the future, what's the best place to report possible CMF security
issues? zope-cmf Launchpad?
Hi David,
thanks for the quick response. I would definitely say just post to the
list to see if we're still alive. Can you say which versions of CMF
are affected?
Probably any that use getToolByName. The problem is that getToolByName
can be used to get attributes that wouldn't normally be accessible from
RestrictedPython. The hotfix adds some checks to make sure that the
object that was found provides IPersistent or IItem (or is explicitly
named in the tool registry), so that it is at least much harder to break
out of the sandbox.
Unfortunately this breaks non-persistent non-item dummy objects used in
tests unless they are made to provide one of the interfaces that is checked.
David
_______________________________________________
Zope-CMF maillist - [email protected]
https://mail.zope.org/mailman/listinfo/zope-cmf
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
