Prep 2.13.12 release with CVE-2010-1104 fix.

a0655194 · Tres Seaver · 30e6f16d · a0655194 · a0655194 · a0655194
Commit a0655194 authored Jan 18, 2012 by Tres Seaver
Showing with 9 additions and 5 deletions

doc/CHANGES.rst doc/CHANGES.rst +4 -1

setup.py setup.py +1 -1

src/OFS/SimpleItem.py src/OFS/SimpleItem.py +2 -1

src/ZPublisher/tests/exception_handling.txt src/ZPublisher/tests/exception_handling.txt +2 -2

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -5,9 +5,12 @@ This file contains change information for the current Zope release.
 Change information for previous versions of Zope can be found at
 http://docs.zope.org/zope2/releases/.

-2.13.12 (unreleased)
+2.13.12 (2012-01-18)
 --------------------

+- Prevent a cross-site-scripting attack against the default standard
+  error message handling.  (CVE-2010-1104).
+
 - Use ``in`` operator instead of deprecated ``has_key`` method (which
  is not implemented by ``OFS.ObjectManager``). This fixes an issue
  with WebDAV requests for skin objects.

--- a/setup.py
+++ b/setup.py
@@ -23,7 +23,7 @@ if sys.platform[:3].lower() == "win":


 setup(name='Zope2',
-    version='2.13.12dev',
+    version='2.13.12',
    url='http://zope2.zope.org',
    license='ZPL 2.1',
    description='Zope2 application server / web framework',

--- a/src/OFS/SimpleItem.py
+++ b/src/OFS/SimpleItem.py
@@ -45,6 +45,7 @@ from DocumentTemplate.ustr import ustr
 from ExtensionClass import Base
 from Persistence import Persistent
 from webdav.Resource import Resource
+from webdav.xmltools import escape as xml_escape
 from zExceptions import Redirect
 from zExceptions.ExceptionFormatter import format_exception
 from zope.interface import implements
@@ -232,7 +233,7 @@ class Item(Base,
                          'error_value': error_value,
                          'error_tb': error_tb,
                          'error_traceback': error_tb,
-                          'error_message': error_message,
+                          'error_message': xml_escape(str(error_message)),
                          'error_log_url': error_log_url}

                if getattr(aq_base(s), 'isDocTemp', 0):

--- a/src/ZPublisher/tests/exception_handling.txt
+++ b/src/ZPublisher/tests/exception_handling.txt
@@ -203,9 +203,9 @@ converts it into zExceptions.NotFound if we are not in debug mode.
    Traceback (most recent call last):
    ...
    HTTPError: HTTP Error 404: Not Found
-    >>> '<p><strong>Resource not found</strong></p>' in browser.contents
+    >>> '&lt;p&gt;&lt;strong&gt;Resource not found&lt;/strong&gt;&lt;/p&gt;' in browser.contents
    True
-    >>> '<p><b>Resource:</b> index_html</p>' in browser.contents
+    >>> '&lt;p&gt;&lt;b&gt;Resource:&lt;/b&gt; index_html&lt;/p&gt;' in browser.contents
    True

    >>> browser.handleErrors = False