[Zope-CMF] CMF security patches in Products.PloneHotfix20121106

David Glick (Plone) david.glick at plone.org
Fri Nov 9 19:45:15 UTC 2012


On 11/9/12 11:33 AM, Charlie Clark wrote:
> Am 09.11.2012, 20:29 Uhr, schrieb David Glick (Plone) 
> <david.glick at plone.org>:
>
>> We should have informed you earlier. There are a lot of tasks 
>> associated with preparing a hotfix (and this one in particular 
>> covered many vulnerabilities), and it got missed. I apologize.
>>  In the future, what's the best place to report possible CMF security 
>> issues? zope-cmf Launchpad?
>
> Hi David,
>
> thanks for the quick response. I would definitely say just post to the 
> list to see if we're still alive. Can you say which versions of CMF 
> are affected?
>
Probably any that use getToolByName. The problem is that getToolByName 
can be used to get attributes that wouldn't normally be accessible from 
RestrictedPython. The hotfix adds some checks to make sure that the 
object that was found provides IPersistent or IItem (or is explicitly 
named in the tool registry), so that it is at least much harder to break 
out of the sandbox.

Unfortunately this breaks non-persistent non-item dummy objects used in 
tests unless they are made to provide one of the interfaces that is checked.
David


More information about the Zope-CMF mailing list