-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 since most users are on the Zope mailing list (2323 users), i think it's better to post there (and on Zope-dev).
https://mail.zope.org/mailman/listinfo/zope johannes On 11/09/2012 08:45 PM, David Glick (Plone) wrote: > On 11/9/12 11:33 AM, Charlie Clark wrote: >> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) >> <[email protected]>: >> >>> We should have informed you earlier. There are a lot of tasks >>> associated with preparing a hotfix (and this one in particular >>> covered many vulnerabilities), and it got missed. I apologize. >>> In the future, what's the best place to report possible CMF >>> security issues? zope-cmf Launchpad? >> >> Hi David, >> >> thanks for the quick response. I would definitely say just post >> to the list to see if we're still alive. Can you say which >> versions of CMF are affected? >> > Probably any that use getToolByName. The problem is that > getToolByName can be used to get attributes that wouldn't normally > be accessible from RestrictedPython. The hotfix adds some checks > to make sure that the object that was found provides IPersistent > or IItem (or is explicitly named in the tool registry), so that it > is at least much harder to break out of the sandbox. > > Unfortunately this breaks non-persistent non-item dummy objects > used in tests unless they are made to provide one of the > interfaces that is checked. David > _______________________________________________ Zope-CMF maillist - > [email protected] https://mail.zope.org/mailman/listinfo/zope-cmf > > See https://bugs.launchpad.net/zope-cmf/ for bug reports and > feature requests - -- programmatic web development di(fh) johannes raggam / thet python plone zope development mail: [email protected] web: http://programmatic.pro http://bluedynamics.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCiI10ACgkQW4mNMQxDgAf6ZwCgygr6rsCMbKC5FqDDOzzTQRv6 qasAnAxWuJAenqLPZShoHCrGcGeO5Uz+ =y8U8 -----END PGP SIGNATURE----- _______________________________________________ Zope-CMF maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
