Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
139
Merge Requests
139
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
erp5
Commits
ac9a3d51
Commit
ac9a3d51
authored
Apr 20, 2022
by
Arnaud Fontaine
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
zope4: Remove very old PloneHotfix20121106.
parent
920c5dcc
Changes
8
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
0 additions
and
2516 deletions
+0
-2516
product/PloneHotfix20121106/README.txt
product/PloneHotfix20121106/README.txt
+0
-51
product/PloneHotfix20121106/__init__.py
product/PloneHotfix20121106/__init__.py
+0
-20
product/PloneHotfix20121106/allow_module.py
product/PloneHotfix20121106/allow_module.py
+0
-4
product/PloneHotfix20121106/atat.py
product/PloneHotfix20121106/atat.py
+0
-15
product/PloneHotfix20121106/ftp.py
product/PloneHotfix20121106/ftp.py
+0
-20
product/PloneHotfix20121106/get_request_var_or_attr.py
product/PloneHotfix20121106/get_request_var_or_attr.py
+0
-2
product/PloneHotfix20121106/safe_html.py
product/PloneHotfix20121106/safe_html.py
+0
-2387
product/PloneHotfix20121106/setHeader.py
product/PloneHotfix20121106/setHeader.py
+0
-17
No files found.
product/PloneHotfix20121106/README.txt
deleted
100644 → 0
View file @
920c5dcc
Plone hotfix, 2012-11-06
========================
This hotfix fixes multiple vulnerabilities in Plone,
including arbitrary code execution and privilege escalation.
This hotfix should be applied to the following versions of Plone:
# Plone 4.3 <= 4.3a2
* Plone 4.2 <= 4.2.2
* Any older version of Plone including 2.1, 2.5, 3.0, 3.1, 3.2, 3.3, 4.0, and 4.1
The hotfix is officially supported by the Plone security team on the
following versions of Plone in accordance with the Plone
`version support policy`_: 3.3.6, 4.1.6, and 4.2.2.
However it has also received some testing on older versions of Plone.
The fixes included here will be incorporated into subsequent releases of Plone,
so Plone 4.2.3, 4.3b1 and greater should not require this hotfix.
Installation
============
Installation instructions can be found at
http://plone.org/products/plone-hotfix/releases/20121106
Q&A
===
Q: How can I confirm that the hotfix is installed correctly and my site is protected?
A: On startup, the hotfix will log a number of messages to the Zope event log
that look like this::
2012-11-05 21:15:26 INFO Products.PloneHotfix20121106 Applied registerConfiglet patch
The exact list of patches attempted depends on the version of Plone.
If a patch is attempted but fails, it will be logged as a warning that says
"Could not apply". This may indicate that you have a non-standard Plone
installation.
Q: How can I report problems installing the patch?
A: Contact the Plone security team at security@plone.org, or visit the
#plone channel on freenode IRC.
Q: How can I report other potential security vulnerabilities?
A: Please email the security team at security@plone.org rather than discussing
potential security issues publicly.
.. _`version support policy`: http://plone.org/support/version-support-policy
product/PloneHotfix20121106/__init__.py
deleted
100644 → 0
View file @
920c5dcc
import
logging
logger
=
logging
.
getLogger
(
__name__
)
hotfixes
=
(
'setHeader'
,
'allow_module'
,
'get_request_var_or_attr'
,
'safe_html'
,
# XXX: must be merged into our PortalTransforms product
'ftp'
,
'atat'
,
)
# Apply the fixes
for
hotfix
in
hotfixes
:
try
:
__import__
(
'%s.%s'
%
(
__name__
,
hotfix
))
logger
.
info
(
'Applied %s patch'
,
hotfix
)
except
Exception
:
logger
.
warn
(
'Could not apply %s'
,
hotfix
)
logger
.
info
(
'Hotfix installed'
)
product/PloneHotfix20121106/allow_module.py
deleted
100644 → 0
View file @
920c5dcc
import
AccessControl
AccessControl
.
allow_module
.
__roles__
=
()
product/PloneHotfix20121106/atat.py
deleted
100644 → 0
View file @
920c5dcc
try
:
from
zope.traversing
import
namespace
except
ImportError
:
from
zope.app.traversing
import
namespace
try
:
from
zope.traversing.interfaces
import
TraversalError
except
ImportError
:
from
zope.exceptions
import
NotFoundError
as
TraversalError
old_traverse
=
namespace
.
view
.
traverse
def
traverse
(
self
,
name
,
ignored
):
if
not
name
:
raise
TraversalError
(
self
.
context
,
name
)
return
old_traverse
(
self
,
name
,
ignored
)
namespace
.
view
.
traverse
=
traverse
product/PloneHotfix20121106/ftp.py
deleted
100644 → 0
View file @
920c5dcc
from
AccessControl
import
getSecurityManager
from
zExceptions
import
Unauthorized
from
OFS.ObjectManager
import
ObjectManager
ObjectManager
.
__old_manage_FTPlist
=
ObjectManager
.
manage_FTPlist
def
manage_FTPlist
(
self
,
REQUEST
):
"""Returns a directory listing consisting of a tuple of
(id,stat) tuples, marshaled to a string. Note, the listing it
should include '..' if there is a Folder above the current
one.
In the case of non-foldoid objects it should return a single
tuple (id,stat) representing itself."""
if
not
getSecurityManager
().
checkPermission
(
'Access contents information'
,
self
):
raise
Unauthorized
(
'Not allowed to access contents.'
)
return
self
.
__old_manage_FTPlist
(
REQUEST
)
ObjectManager
.
manage_FTPlist
=
manage_FTPlist
product/PloneHotfix20121106/get_request_var_or_attr.py
deleted
100644 → 0
View file @
920c5dcc
from
App
import
Undo
Undo
.
UndoSupport
.
get_request_var_or_attr__roles__
=
()
product/PloneHotfix20121106/safe_html.py
deleted
100644 → 0
View file @
920c5dcc
This diff is collapsed.
Click to expand it.
product/PloneHotfix20121106/setHeader.py
deleted
100644 → 0
View file @
920c5dcc
import
re
from
ZPublisher
import
HTTPResponse
_CRLF
=
re
.
compile
(
r'[\r\n]'
)
HTTPResponse
.
_CRLF
=
_CRLF
if
getattr
(
HTTPResponse
,
'_scrubHeader'
,
None
)
is
None
:
def
_scrubHeader
(
name
,
value
):
return
''
.
join
(
_CRLF
.
split
(
str
(
name
))),
''
.
join
(
_CRLF
.
split
(
str
(
value
)))
HTTPResponse
.
HTTPResponse
.
__old_setHeader
=
HTTPResponse
.
HTTPResponse
.
setHeader
def
setHeader
(
self
,
name
,
value
,
*
args
,
**
kwargs
):
name
,
value
=
_scrubHeader
(
name
,
value
)
return
self
.
__old_setHeader
(
name
,
value
,
*
args
,
**
kwargs
)
HTTPResponse
.
HTTPResponse
.
setHeader
=
setHeader
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment