On 11/9/12 11:33 AM, Charlie Clark wrote:
Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) <david.gl...@plone.org>:

We should have informed you earlier. There are a lot of tasks associated with preparing a hotfix (and this one in particular covered many vulnerabilities), and it got missed. I apologize. In the future, what's the best place to report possible CMF security issues? zope-cmf Launchpad?

Hi David,

thanks for the quick response. I would definitely say just post to the list to see if we're still alive. Can you say which versions of CMF are affected?

Probably any that use getToolByName. The problem is that getToolByName can be used to get attributes that wouldn't normally be accessible from RestrictedPython. The hotfix adds some checks to make sure that the object that was found provides IPersistent or IItem (or is explicitly named in the tool registry), so that it is at least much harder to break out of the sandbox.

Unfortunately this breaks non-persistent non-item dummy objects used in tests unless they are made to provide one of the interfaces that is checked.
Zope-CMF maillist  -  Zope-CMF@zope.org

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Reply via email to