[Checkins] SVN: Products.Zope_Hotfix_CVE_2010_1104/ Release hotfix for CVE-2010-1104.
Tres Seaver
tseaver at palladion.com
Wed Jan 18 21:13:08 UTC 2012
Log message for revision 124072:
Release hotfix for CVE-2010-1104.
Changed:
A Products.Zope_Hotfix_CVE_2010_1104/
A Products.Zope_Hotfix_CVE_2010_1104/tags/
A Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/
A Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/
A Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/Zope_Hotfix_CVE_2010_1104/
A Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/Zope_Hotfix_CVE_2010_1104/__init__.py
A Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/__init__.py
A Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/README.txt
A Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/setup.py
A Products.Zope_Hotfix_CVE_2010_1104/trunk/
A Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/
A Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/Zope_Hotfix_CVE_2010_1104/
A Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/Zope_Hotfix_CVE_2010_1104/__init__.py
A Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/__init__.py
A Products.Zope_Hotfix_CVE_2010_1104/trunk/README.txt
A Products.Zope_Hotfix_CVE_2010_1104/trunk/setup.py
-=-
Added: Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/Zope_Hotfix_CVE_2010_1104/__init__.py
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/Zope_Hotfix_CVE_2010_1104/__init__.py (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/Zope_Hotfix_CVE_2010_1104/__init__.py 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,104 @@
+import re
+import sys
+import logging
+
+from Acquisition import aq_base
+from App.special_dtml import HTML
+from DocumentTemplate.html_quote import html_quote
+from DocumentTemplate.ustr import ustr
+from OFS.SimpleItem import Item
+from OFS.SimpleItem import logger
+from OFS.SimpleItem import pretty_tb
+from webdav.xmltools import escape as xml_escape
+
+logger = logging.getLogger('Zope_Hotfix_CVE_2010_1104')
+
+def _raise_standardErrorMessage(
+ self, client=None, REQUEST={},
+ error_type=None, error_value=None, tb=None,
+ error_tb=None, error_message='',
+ tagSearch=re.compile(r'[a-zA-Z]>').search,
+ error_log_url=''):
+
+ try:
+ if error_type is None: error_type =sys.exc_info()[0]
+ if error_value is None: error_value=sys.exc_info()[1]
+
+ # allow for a few different traceback options
+ if tb is None and error_tb is None:
+ tb=sys.exc_info()[2]
+ if type(tb) is not type('') and (error_tb is None):
+ error_tb = pretty_tb(error_type, error_value, tb)
+ elif type(tb) is type('') and not error_tb:
+ error_tb = tb
+
+ # turn error_type into a string
+ if hasattr(error_type, '__name__'):
+ error_type=error_type.__name__
+
+ if hasattr(self, '_v_eek'):
+ # Stop if there is recursion.
+ raise error_type, error_value, tb
+ self._v_eek=1
+
+ if str(error_type).lower() in ('redirect',):
+ raise error_type, error_value, tb
+
+ if not error_message:
+ try:
+ s = ustr(error_value)
+ except:
+ s = error_value
+ try:
+ match = tagSearch(s)
+ except TypeError:
+ match = None
+ if match is not None:
+ error_message=error_value
+
+ if client is None: client=self
+ if not REQUEST: REQUEST=self.aq_acquire('REQUEST')
+
+ try:
+ if hasattr(client, 'standard_error_message'):
+ s=getattr(client, 'standard_error_message')
+ else:
+ client = client.aq_parent
+ s=getattr(client, 'standard_error_message')
+ kwargs = {'error_type': error_type,
+ 'error_value': error_value,
+ 'error_tb': error_tb,
+ 'error_traceback': error_tb,
+ 'error_message': xml_escape(str(error_message)),
+ 'error_log_url': error_log_url}
+
+ if getattr(aq_base(s),'isDocTemp',0):
+ v = s(client, REQUEST, **kwargs)
+ elif callable(s):
+ v = s(**kwargs)
+ else:
+ v = HTML.__call__(s, client, REQUEST, **kwargs)
+ except:
+ logger.error(
+ 'Exception while rendering an error message',
+ exc_info=True
+ )
+ try:
+ strv = repr(error_value) # quotes tainted strings
+ except:
+ strv = ('<unprintable %s object>' %
+ str(type(error_value).__name__))
+ v = strv + (
+ (" (Also, the following error occurred while attempting "
+ "to render the standard error message, please see the "
+ "event log for full details: %s)")%(
+ html_quote(sys.exc_info()[1]),
+ ))
+ raise error_type, v, tb
+ finally:
+ if hasattr(self, '_v_eek'): del self._v_eek
+ tb=None
+
+def initialize(context):
+ Item.raise_standardErrorMessage = _raise_standardErrorMessage
+ logger.info('Hotfix installed.')
Added: Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/__init__.py
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/__init__.py (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/Products/__init__.py 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,6 @@
+# See http://peak.telecommunity.com/DevCenter/setuptools#namespace-packages
+try:
+ __import__('pkg_resources').declare_namespace(__name__)
+except ImportError:
+ from pkgutil import extend_path
+ __path__ = extend_path(__path__, __name__)
Added: Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/README.txt
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/README.txt (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/README.txt 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,54 @@
+Introduction
+============
+
+This Zope hotfix fixes `CVE 2010-1104`_.
+
+.. _`CVE 2010-1104`: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104
+
+This hotfix has been tested with Zope instances using Zope 2.8.x - 2.11.x.
+Users of Zope 2.12 and greater should instead update to the latest
+corresponding minor revision, which already includes this fix.
+
+.. WARNING:: Zope < 2.12 is no longer officially supported, and may have
+ other unpatched vulnerabilities. You are encouraged to upgrade to
+ a supported Zope 2.
+
+
+Installation
+============
+
+Download the tarball from the PyPI page:
+
+ http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104
+
+Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
+your instance. E.g.::
+
+ products /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products
+
+and restart. Alternatively, you may copy or symlink the 'Products'
+directory into the 'Products' subdirectory of your Zope instance. E.g.::
+
+ $ cp -r /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products \
+ /path/to/instance/Products/
+
+
+Verifying the Installation
+--------------------------
+
+After restarting the Zope instance, check the
+'Control_Panel/Products' folder in the Zope Management Interface,
+e.g.:
+
+ http://localhost:8080/Control_Panel/Products/manage_main
+
+You should see the 'Zope_Hotfix_CVE_2010_1104' product folder there.
+
+
+Changelog
+=========
+
+1.0 (2012-01-18)
+----------------
+
+- Initial release
Added: Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/setup.py
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/setup.py (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/tags/1.0/setup.py 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,30 @@
+from setuptools import find_packages
+from setuptools import setup
+
+version = '1.0'
+
+ZSVN = 'http://svn.zope.org/Zope/'
+
+setup(name='Products.Zope_Hotfix_CVE_2010_1104',
+ version=version,
+ description="Hotfix to fix CVE 2010-1104 for Zope 2.8 - 2.13",
+ long_description=open("README.txt").read(),
+ classifiers=[
+ "Programming Language :: Python",
+ "Framework :: Zope2",
+ "License :: OSI Approved :: Zope Public License",
+ ],
+ keywords='security hotfix patch',
+ author='Zope Foundation and Contributors',
+ author_email='zope-dev at zope.org',
+ url=ZSVN + 'hotfixes/Products.Zope_Hotfix_CVE_2010_1104',
+ license='ZPL 2.1',
+ packages=find_packages(),
+ namespace_packages=['Products'],
+ include_package_data=True,
+ zip_safe=False,
+ install_requires=[
+ 'setuptools',
+ # -*- Extra requirements: -*-
+ ],
+)
Added: Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/Zope_Hotfix_CVE_2010_1104/__init__.py
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/Zope_Hotfix_CVE_2010_1104/__init__.py (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/Zope_Hotfix_CVE_2010_1104/__init__.py 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,104 @@
+import re
+import sys
+import logging
+
+from Acquisition import aq_base
+from App.special_dtml import HTML
+from DocumentTemplate.html_quote import html_quote
+from DocumentTemplate.ustr import ustr
+from OFS.SimpleItem import Item
+from OFS.SimpleItem import logger
+from OFS.SimpleItem import pretty_tb
+from webdav.xmltools import escape as xml_escape
+
+logger = logging.getLogger('Zope_Hotfix_CVE_2010_1104')
+
+def _raise_standardErrorMessage(
+ self, client=None, REQUEST={},
+ error_type=None, error_value=None, tb=None,
+ error_tb=None, error_message='',
+ tagSearch=re.compile(r'[a-zA-Z]>').search,
+ error_log_url=''):
+
+ try:
+ if error_type is None: error_type =sys.exc_info()[0]
+ if error_value is None: error_value=sys.exc_info()[1]
+
+ # allow for a few different traceback options
+ if tb is None and error_tb is None:
+ tb=sys.exc_info()[2]
+ if type(tb) is not type('') and (error_tb is None):
+ error_tb = pretty_tb(error_type, error_value, tb)
+ elif type(tb) is type('') and not error_tb:
+ error_tb = tb
+
+ # turn error_type into a string
+ if hasattr(error_type, '__name__'):
+ error_type=error_type.__name__
+
+ if hasattr(self, '_v_eek'):
+ # Stop if there is recursion.
+ raise error_type, error_value, tb
+ self._v_eek=1
+
+ if str(error_type).lower() in ('redirect',):
+ raise error_type, error_value, tb
+
+ if not error_message:
+ try:
+ s = ustr(error_value)
+ except:
+ s = error_value
+ try:
+ match = tagSearch(s)
+ except TypeError:
+ match = None
+ if match is not None:
+ error_message=error_value
+
+ if client is None: client=self
+ if not REQUEST: REQUEST=self.aq_acquire('REQUEST')
+
+ try:
+ if hasattr(client, 'standard_error_message'):
+ s=getattr(client, 'standard_error_message')
+ else:
+ client = client.aq_parent
+ s=getattr(client, 'standard_error_message')
+ kwargs = {'error_type': error_type,
+ 'error_value': error_value,
+ 'error_tb': error_tb,
+ 'error_traceback': error_tb,
+ 'error_message': xml_escape(str(error_message)),
+ 'error_log_url': error_log_url}
+
+ if getattr(aq_base(s),'isDocTemp',0):
+ v = s(client, REQUEST, **kwargs)
+ elif callable(s):
+ v = s(**kwargs)
+ else:
+ v = HTML.__call__(s, client, REQUEST, **kwargs)
+ except:
+ logger.error(
+ 'Exception while rendering an error message',
+ exc_info=True
+ )
+ try:
+ strv = repr(error_value) # quotes tainted strings
+ except:
+ strv = ('<unprintable %s object>' %
+ str(type(error_value).__name__))
+ v = strv + (
+ (" (Also, the following error occurred while attempting "
+ "to render the standard error message, please see the "
+ "event log for full details: %s)")%(
+ html_quote(sys.exc_info()[1]),
+ ))
+ raise error_type, v, tb
+ finally:
+ if hasattr(self, '_v_eek'): del self._v_eek
+ tb=None
+
+def initialize(context):
+ Item.raise_standardErrorMessage = _raise_standardErrorMessage
+ logger.info('Hotfix installed.')
Added: Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/__init__.py
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/__init__.py (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/trunk/Products/__init__.py 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,6 @@
+# See http://peak.telecommunity.com/DevCenter/setuptools#namespace-packages
+try:
+ __import__('pkg_resources').declare_namespace(__name__)
+except ImportError:
+ from pkgutil import extend_path
+ __path__ = extend_path(__path__, __name__)
Added: Products.Zope_Hotfix_CVE_2010_1104/trunk/README.txt
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/trunk/README.txt (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/trunk/README.txt 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,54 @@
+Introduction
+============
+
+This Zope hotfix fixes `CVE 2010-1104`_.
+
+.. _`CVE 2010-1104`: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1104
+
+This hotfix has been tested with Zope instances using Zope 2.8.x - 2.11.x.
+Users of Zope 2.12 and greater should instead update to the latest
+corresponding minor revision, which already includes this fix.
+
+.. WARNING:: Zope < 2.12 is no longer officially supported, and may have
+ other unpatched vulnerabilities. You are encouraged to upgrade to
+ a supported Zope 2.
+
+
+Installation
+============
+
+Download the tarball from the PyPI page:
+
+ http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2010_1104
+
+Unpack the tarball and add a 'products' key to the 'etc/zope.conf' of
+your instance. E.g.::
+
+ products /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products
+
+and restart. Alternatively, you may copy or symlink the 'Products'
+directory into the 'Products' subdirectory of your Zope instance. E.g.::
+
+ $ cp -r /path/to/Products.Zope_Hotfix_CVE_2010_1104/Products \
+ /path/to/instance/Products/
+
+
+Verifying the Installation
+--------------------------
+
+After restarting the Zope instance, check the
+'Control_Panel/Products' folder in the Zope Management Interface,
+e.g.:
+
+ http://localhost:8080/Control_Panel/Products/manage_main
+
+You should see the 'Zope_Hotfix_CVE_2010_1104' product folder there.
+
+
+Changelog
+=========
+
+1.0 (2012-01-18)
+----------------
+
+- Initial release
Added: Products.Zope_Hotfix_CVE_2010_1104/trunk/setup.py
===================================================================
--- Products.Zope_Hotfix_CVE_2010_1104/trunk/setup.py (rev 0)
+++ Products.Zope_Hotfix_CVE_2010_1104/trunk/setup.py 2012-01-18 21:13:08 UTC (rev 124072)
@@ -0,0 +1,30 @@
+from setuptools import find_packages
+from setuptools import setup
+
+version = '1.0'
+
+ZSVN = 'http://svn.zope.org/Zope/'
+
+setup(name='Products.Zope_Hotfix_CVE_2010_1104',
+ version=version,
+ description="Hotfix to fix CVE 2010-1104 for Zope 2.8 - 2.13",
+ long_description=open("README.txt").read(),
+ classifiers=[
+ "Programming Language :: Python",
+ "Framework :: Zope2",
+ "License :: OSI Approved :: Zope Public License",
+ ],
+ keywords='security hotfix patch',
+ author='Zope Foundation and Contributors',
+ author_email='zope-dev at zope.org',
+ url=ZSVN + 'hotfixes/Products.Zope_Hotfix_CVE_2010_1104',
+ license='ZPL 2.1',
+ packages=find_packages(),
+ namespace_packages=['Products'],
+ include_package_data=True,
+ zip_safe=False,
+ install_requires=[
+ 'setuptools',
+ # -*- Extra requirements: -*-
+ ],
+)
More information about the checkins
mailing list