-----BEGIN PGP SIGNED MESSAGE-----
since most users are on the Zope mailing list (2323 users), i think
it's better to post there (and on Zope-dev).
On 11/09/2012 08:45 PM, David Glick (Plone) wrote:
> On 11/9/12 11:33 AM, Charlie Clark wrote:
>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
>>> We should have informed you earlier. There are a lot of tasks
>>> associated with preparing a hotfix (and this one in particular
>>> covered many vulnerabilities), and it got missed. I apologize.
>>> In the future, what's the best place to report possible CMF
>>> security issues? zope-cmf Launchpad?
>> Hi David,
>> thanks for the quick response. I would definitely say just post
>> to the list to see if we're still alive. Can you say which
>> versions of CMF are affected?
> Probably any that use getToolByName. The problem is that
> getToolByName can be used to get attributes that wouldn't normally
> be accessible from RestrictedPython. The hotfix adds some checks
> to make sure that the object that was found provides IPersistent
> or IItem (or is explicitly named in the tool registry), so that it
> is at least much harder to break out of the sandbox.
> Unfortunately this breaks non-persistent non-item dummy objects
> used in tests unless they are made to provide one of the
> interfaces that is checked. David
> _______________________________________________ Zope-CMF maillist -
> Zope-CMF@zope.org https://mail.zope.org/mailman/listinfo/zope-cmf
> See https://bugs.launchpad.net/zope-cmf/ for bug reports and
> feature requests
programmatic web development
di(fh) johannes raggam / thet
python plone zope development
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
Zope-CMF maillist - Zope-CMF@zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests