-----BEGIN PGP SIGNED MESSAGE-----
On 11/13/2012 05:39 AM, johannes raggam wrote:
> since most users are on the Zope mailing list (2323 users), i think
> it's better to post there (and on Zope-dev).
> On 11/09/2012 08:45 PM, David Glick (Plone) wrote:
>> On 11/9/12 11:33 AM, Charlie Clark wrote:
>>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone)
>>>> We should have informed you earlier. There are a lot of tasks
>>>> associated with preparing a hotfix (and this one in particular
>>>> covered many vulnerabilities), and it got missed. I apologize.
>>>> In the future, what's the best place to report possible CMF
>>>> security issues? zope-cmf Launchpad?
>>> Hi David,
>>> thanks for the quick response. I would definitely say just post to
>>> the list to see if we're still alive. Can you say which versions
>>> of CMF are affected?
>> Probably any that use getToolByName. The problem is that
>> getToolByName can be used to get attributes that wouldn't normally
>> be accessible from RestrictedPython. The hotfix adds some checks to
>> make sure that the object that was found provides IPersistent or
>> IItem (or is explicitly named in the tool registry), so that it is
>> at least much harder to break out of the sandbox.
>> Unfortunately this breaks non-persistent non-item dummy objects used
>> in tests unless they are made to provide one of the interfaces that
>> is checked. David
This issue is now in Launchpad:
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
Zope-CMF maillist - Zope-CMF@zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests