{ "info": { "author": "Plone Security Team", "author_email": "security@plone.org", "bugtrack_url": null, "classifiers": [ "Framework :: Plone", "Programming Language :: Python" ], "description": "Plone hotfix, 2016-08-30\n========================\n\nThis hotfix fixes several security issues:\n\n- An attacker could bypass Plone's security method to check if a url is a valid,\n safe url on the site which can lead to XSS attacks on certain pages.\n- In multiple places, Plone blindly uses the `referer` header to redirect a user\n to the next page after a particular action. An attacker could utilize this to\n draw a user into a redirection attack.\n- z3c.form will currently accept data from GET requests when the form is supposed\n to be POST. This allows a user to inject a potential XSS attack into a form,\n which when saved, will cause a XSS attack. Moreover, with certain widgets in Plone\n admin forms, the input is expected to be safe and can cause a reflexive XSS\n attack.\n- Fixes XSS on user information page.\n- Fixes XSS on multiple ZMI pages\n- By using relative paths and guessing locations on a server Plone is installed\n on, an attacker can read data from a target server that the process running\n Plone has permission to read. The attacker needs administrator privileges on\n the Plone site to perform this attack.\n\n\n\nThis hotfix should be applied to the following versions of Plone:\n\n* Plone 5.0.6 and any earlier 5.x version\n* Plone 4.3.11 and any earlier 4.x version\n* Any older version of Plone\n\nThe hotfix is officially supported by the Plone security team on the\nfollowing versions of Plone in accordance with the Plone\n`version support policy`_: 4.0.10, 4.1.6, 4.2.7, 4.3.11 and 5.0.6.\nHowever it has also received some testing on older versions of Plone.\nThe fixes included here will be incorporated into subsequent releases of Plone,\nso Plone 4.3.12, 5.0.7 and greater should not require this hotfix.\n\n\nInstallation\n============\n\nInstallation instructions can be found at\nhttps://plone.org/security/hotfix/20160830\n\n\nApplied patches\n===============\n\nNot all patches need to be applied in all Plone versions.\n\nIf you are using versions of plone.protect prior to 3, the \"confirm\" patch is\nnot necessary and will not successfully apply. This is true for any\nPlone 4 site that does not have plone4.csrffixes installed.\n\nOn default installs of Plone 4.x, the \"user\" patch will not successfully apply\nand does not need to be patched. The patch is only applied when a version of\nplone.app.users greater than 2 is installed.\n\nOn default installs of Plone 4.1.x or lower, the \"resource\" patch will\nnot successfully apply and does not need to be patched. The patch is\nonly applied when plone.resource is installed.\n\nOn default installs of Plone 4.0.x or lower, the \"discussion\" patch will\nnot successfully apply and does not need to be patched. The patch is\nonly applied when plone.app.discussion is installed.\n\nOn default installs of Plone 3 or lower, the \"plonerootlogin\" patch\nwill not successfully apply and does not need to be patched. The patch\nis only applied on Plone 4 and higher.\n\nOn default installs of Plone 3 or lower, the \"z3c_form\" patch\nwill not successfully apply and does not need to be patched. The patch\nis only applied when z3c.form is installed.\n\n\nRedirection to external sites\n=============================\n\nFor any controller page template or script that uses the\n``redirect_to`` action, the url is now checked. If the url is not in\nthe current portal and the domain is not in the\n\"allow_external_login_sites\" property, then Plone refuses to redirect\nto this, and instead redirects to the current page.\n\nOne example where this might affect you, is if you use an external\nsite to login (for example openid, Facebook, Google), or when the\nPlone Site itself is setup as openid provider for other sites. In\nthis or similar cases, you need to update the\n\"allow_external_login_sites\" property.\n\n- On Plone 5 this can done in the Configuration Registry:\n ``/portal_registry/edit/plone.allow_external_login_sites``\n\n- On Plone 4 and lower this can only be done in the Zope Management interface:\n ``portal_properties/site_properties/manage_propertiesForm``.\n\nIf you have own controller page templates or scripts and want to allow\nredirection to external sites without editing this property, you can\nedit the ``.metadata`` file of this template or script and change\n``redirect_to`` into ``external_redirect_to``. This allows both\ninternal and external redirects. This action has been added in this\nhotfix, and will be added to future versions of\n``Products.CMFFormController``.\n\n\nz3c.form and prefilling data\n============================\n\nWith this hotfix, we only use data from the request when the request\nmethod matches the form method. By default all forms are meant for\nPOST requests, and in those we no longer allow prefilling data from a\nGET request. The same is true the other way around, we don't fill in\ndata from POST requests in forms that expect a GET request, but that\nlikely does not happen often.\n\nIf you have a form where this protection is not wanted, you can add an\nattribute ``allow_prefill_from_GET_request`` on the form and set it to\na True value. If you want, you can import this attribute name from\n``Products.PloneHotfix20160830.z3c_form.ALLOW_PREFILL``. This\nattribute will likely be ported to the z3c.form package.\n\nThe attribute was introduced in version 1.3 of the hotfix.\n\n\nQ&A\n===\n\nQ: How can I confirm that the hotfix is installed correctly and my site is protected?\n A: On startup, the hotfix will log a number of messages to the Zope event log\n that look like this::\n\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied resource patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied confirm patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied z3c_form patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied in_portal patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied plonerootlogin patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirects patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirect_folderfactories patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirect_qi patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirectto patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied discussion patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied user patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied zmi patch\n 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Hotfix installed\n\n The exact number of patches applied, will differ depending on what packages you are using.\n If a patch is attempted but fails, it will be logged as a warning that says\n \"Could not apply\". This may indicate that you have a non-standard Plone\n installation.\n\nQ: How can I report problems installing the patch?\n A: Contact the Plone security team at security@plone.org, or visit the\n #plone channel on freenode IRC.\n\nQ: How can I report other potential security vulnerabilities?\n A: Please email the security team at security@plone.org rather than discussing\n potential security issues publicly.\n\n.. _`version support policy`: http://plone.org/support/version-support-policy\n\nChangelog\n=========\n\n\n1.3 (2016-09-08)\n----------------\n\n- Added ``allow_prefill_from_GET_request`` attribute check. With this\n hotfix, we only use data from the request when the request method\n matches the form method. If you have a z3c.form where this\n protection is not wanted, you can add an attribute\n ``allow_prefill_from_GET_request`` on the form and set it to a True\n value. If you want, you can import this attribute name from\n ``Products.PloneHotfix20160830.z3c_form.ALLOW_PREFILL``. You only\n need to update to this version of the hotfix if you have forms where\n this is needed.\n\n\n1.2 (2016-09-06)\n----------------\n\n- Fix plone.app.discussion patch to still work for deleting comments on\n versions older than 2.3.3\n\n\n1.1 (2016-09-01)\n----------------\n\n- Fixed z3c.form patch for Plone 3. Plone 3 does not use z3c.form by\n default. If you have an add-on that *does* use it, you should\n upgrade, otherwise you get errors when showing such a form. Plone 4\n and higher work fine with the previous version of the patch.\n\n- Updated plone.app.users patch to work on Plone 4.x even though it is\n not vulnerable. On standard Plone 4 there should be no reason to\n upgrade to this version. If you have custom code that changes\n ``UserDataPanel`` you may need this update though. There is a\n simple check: if on Plone 4 as Manager when you visit\n ``@@user-information?userid=non-existing-user`` you get an error,\n then you are safe.\n\n\n1.0 (2016-08-30)\n----------------\n\n- Initial release", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/plone", "keywords": "plone security hotfix patch", "license": "GPL", "maintainer": "", "maintainer_email": "", "name": "Products.PloneHotfix20160830", "package_url": "https://pypi.org/project/Products.PloneHotfix20160830/", "platform": "", "project_url": "https://pypi.org/project/Products.PloneHotfix20160830/", "project_urls": { "Homepage": "https://github.com/plone" }, "release_url": "https://pypi.org/project/Products.PloneHotfix20160830/1.3/", "requires_dist": null, "requires_python": "", "summary": "Various Plone hotfixes, 2016-08-30", "version": "1.3" }, "last_serial": 2332208, "releases": { "1.0": [ { "comment_text": "", "digests": { "md5": "b403088bf99c533e274b6b46e9c92dd8", "sha256": "ea73a8345cc5e36f6c4adec2c54a0ec23416fe9eda99e535af92c6e78f2c5c67" }, "downloads": -1, "filename": "Products.PloneHotfix20160830-1.0.tar.gz", "has_sig": false, "md5_digest": "b403088bf99c533e274b6b46e9c92dd8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 19252, "upload_time": "2016-08-30T15:00:26", "url": "https://files.pythonhosted.org/packages/92/13/d7371cf730ac1d131366f192963cce900f9a7a61d92f4896ee594240a986/Products.PloneHotfix20160830-1.0.tar.gz" } ], "1.1": [ { "comment_text": "", "digests": { "md5": "9a72fddc1860adcfc9a4566b8f0f2922", "sha256": "4b64e399c060e2985e89bacea577139d6d8147d7ae8c5bab17591b7e8a3a8c67" }, "downloads": -1, "filename": "Products.PloneHotfix20160830-1.1.tar.gz", "has_sig": false, "md5_digest": "9a72fddc1860adcfc9a4566b8f0f2922", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 21732, "upload_time": "2016-09-01T13:11:47", "url": "https://files.pythonhosted.org/packages/56/4f/ccf1272f4b15cc1038563bbb21db6023f4594374892912fb2e369c5b20bf/Products.PloneHotfix20160830-1.1.tar.gz" } ], "1.2": [ { "comment_text": "", "digests": { "md5": "754db4aefc5f5293d879b18802bfcdbd", "sha256": "6a6d57bf8671e0843da25a9dca80b7ff75b8bf4c8eaa16c0fc211be0b76e498d" }, "downloads": -1, "filename": "Products.PloneHotfix20160830-1.2.tar.gz", "has_sig": false, "md5_digest": "754db4aefc5f5293d879b18802bfcdbd", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 21739, "upload_time": "2016-09-06T19:55:18", "url": "https://files.pythonhosted.org/packages/45/ac/bcf98c7a2c815c4c47f1d8581872b3478a64e1d023372510c8fb57cbf250/Products.PloneHotfix20160830-1.2.tar.gz" } ], "1.3": [ { "comment_text": "", "digests": { "md5": "9545f94e76f12fab56ce787e342ab2e3", "sha256": "5546a040ba6bab1d4ea6203a7412fd9913f5566b21112ff7fe57a887ccd01bf6" }, "downloads": -1, "filename": "Products.PloneHotfix20160830-1.3.tar.gz", "has_sig": false, "md5_digest": "9545f94e76f12fab56ce787e342ab2e3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 23134, "upload_time": "2016-09-08T19:52:48", "url": "https://files.pythonhosted.org/packages/ca/c4/09b258b8f4fc6949782a37687c5dc041569784537efad25026996ea78aac/Products.PloneHotfix20160830-1.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "9545f94e76f12fab56ce787e342ab2e3", "sha256": "5546a040ba6bab1d4ea6203a7412fd9913f5566b21112ff7fe57a887ccd01bf6" }, "downloads": -1, "filename": "Products.PloneHotfix20160830-1.3.tar.gz", "has_sig": false, "md5_digest": "9545f94e76f12fab56ce787e342ab2e3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 23134, "upload_time": "2016-09-08T19:52:48", "url": "https://files.pythonhosted.org/packages/ca/c4/09b258b8f4fc6949782a37687c5dc041569784537efad25026996ea78aac/Products.PloneHotfix20160830-1.3.tar.gz" } ] }