Hash: SHA1

On 11/13/2012 05:39 AM, johannes raggam wrote:
> since most users are on the Zope mailing list (2323 users), i think 
> it's better to post there (and on Zope-dev).
> https://mail.zope.org/mailman/listinfo/zope
> johannes
> On 11/09/2012 08:45 PM, David Glick (Plone) wrote:
>> On 11/9/12 11:33 AM, Charlie Clark wrote:
>>> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) 
>>> <david.gl...@plone.org>:
>>>> We should have informed you earlier. There are a lot of tasks 
>>>> associated with preparing a hotfix (and this one in particular 
>>>> covered many vulnerabilities), and it got missed. I apologize. 
>>>> In the future, what's the best place to report possible CMF 
>>>> security issues? zope-cmf Launchpad?
>>> Hi David,
>>> thanks for the quick response. I would definitely say just post to
>>> the list to see if we're still alive. Can you say which versions
>>> of CMF are affected?
>> Probably any that use getToolByName. The problem is that 
>> getToolByName can be used to get attributes that wouldn't normally 
>> be accessible from RestrictedPython. The hotfix adds some checks to
>> make sure that the object that was found provides IPersistent or
>> IItem (or is explicitly named in the tool registry), so that it is
>> at least much harder to break out of the sandbox.
>> Unfortunately this breaks non-persistent non-item dummy objects used
>> in tests unless they are made to provide one of the interfaces that
>> is checked. David

This issue is now in Launchpad:


- -- 
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/


Zope-CMF maillist  -  Zope-CMF@zope.org

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Reply via email to