Prep 2.12.22 release with CVE-2010-1104 fix.

37e4ea77 · Tres Seaver · d280d57c · 37e4ea77 · 37e4ea77 · 37e4ea77
Commit 37e4ea77 authored Jan 18, 2012 by Tres Seaver
Showing with 8 additions and 5 deletions

doc/CHANGES.rst doc/CHANGES.rst +3 -1

setup.py setup.py +1 -1

src/OFS/SimpleItem.py src/OFS/SimpleItem.py +2 -1

src/ZPublisher/tests/exception_handling.txt src/ZPublisher/tests/exception_handling.txt +2 -2

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -5,9 +5,11 @@ This file contains change information for the current Zope release.
 Change information for previous versions of Zope can be found at
 http://docs.zope.org/zope2/releases/.

-2.12.22 (unreleased)
+2.12.22 (2012-01-18)
 --------------------

+- Prevent a cross-site-scripting attack against the default standard
+  error message handling.  (CVE-2010-1104).

 2.12.21 (2011-12-12)
 --------------------

--- a/setup.py
+++ b/setup.py
@@ -16,7 +16,7 @@ import os
 from setuptools import setup, find_packages, Extension

 setup(name='Zope2',
-    version='2.12.22dev',
+    version='2.12.22',
    url='http://www.zope.org',
    license='ZPL 2.1',
    description='Zope2 application server / web framework',

--- a/src/OFS/SimpleItem.py
+++ b/src/OFS/SimpleItem.py
@@ -49,6 +49,7 @@ from DocumentTemplate.ustr import ustr
 from ExtensionClass import Base
 from Persistence import Persistent
 from webdav.Resource import Resource
+from webdav.xmltools import escape as xml_escape
 from zExceptions import Redirect
 from zExceptions import upgradeException
 from zExceptions.ExceptionFormatter import format_exception
@@ -245,7 +246,7 @@ class Item(Base,
                          'error_value': error_value,
                          'error_tb': error_tb,
                          'error_traceback': error_tb,
-                          'error_message': error_message,
+                          'error_message': xml_escape(str(error_message)),
                          'error_log_url': error_log_url}

                if getattr(aq_base(s), 'isDocTemp', 0):

--- a/src/ZPublisher/tests/exception_handling.txt
+++ b/src/ZPublisher/tests/exception_handling.txt
@@ -191,9 +191,9 @@ converts it into zExceptions.NotFound if we are not in debug mode.
    Traceback (most recent call last):
    ...
    HTTPError: HTTP Error 404: Not Found
-    >>> '<p><strong>Resource not found</strong></p>' in browser.contents
+    >>> '&lt;p&gt;&lt;strong&gt;Resource not found&lt;/strong&gt;&lt;/p&gt;' in browser.contents
    True
-    >>> '<p><b>Resource:</b> index_html</p>' in browser.contents
+    >>> '&lt;p&gt;&lt;b&gt;Resource:&lt;/b&gt; index_html&lt;/p&gt;' in browser.contents
    True

    >>> browser.handleErrors = False