Products.cmfplone: Merge patches from PloneHotfix20171128

Created on 30 Nov 2017  路  1Comment  路  Source: plone/Products.CMFPlone

On Tuesday November 28 2017 PloneHotfix20171128 was released. This should be merged to various packages in core. This is a master ticket to track all pull requests. I will first list all items that need to be fixed. I will add a link to a PR when I create it (or when someone else has). When a PR has been merged, we can mark the checkbox.

Zope specific issues
Some of the patches are for Zope. I track those in https://github.com/zopefoundation/Zope/issues/227.
They are:

  • [x] Problem 1: open redirection when calling /Redirect
  • [x] Problem 2: Sandbox escape with str.format

Tests/edits in CMFPlone for the str.format changes.

Problem 3: open redirection on login form
Announcement of vulnerability. This needs a fix in CMFPlone in isURLInPortal.
PRs:

Problem 4: XSS using the home_page member property.
Announcement of vulnerability. The home_page property of a user can contain javascript, which gets inserted literally in the page. This should be fixed in Products.PlonePAS
PRs:

Additionally for this problem, but someone can pick that up in a different ticket:

  • Add a validator in plone.app.users to check the validity of the home_page property to not be malicious.
  • Add an upgrade step to go through all users and check their home_page.
bug help high
Source
picture mauritsvanrees
👍2

Most helpful comment

All done. Thanks to all who helped!

picture mauritsvanrees on 27 Jan 2018
🎉2

>All comments

All done. Thanks to all who helped!

mauritsvanrees picture mauritsvanrees on 27 Jan 2018
🎉2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

djay picture djay  路  6Comments
MrTango picture MrTango  路  4Comments
pbauer picture pbauer  路  5Comments
pbauer picture pbauer  路  6Comments
mauritsvanrees picture mauritsvanrees  路  5Comments