-
-
Notifications
You must be signed in to change notification settings - Fork 76
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[fc] Repository: plone.app.dexterity
Branch: refs/heads/master Date: 2020-11-16T11:44:23+01:00 Author: Maurits van Rees (mauritsvanrees) <[email protected]> Commit: plone/plone.app.dexterity@b11b514 For increased security, in the modeleditor do not resolve entities, and remove processing instructions. See plone/Products.CMFPlone#3209 Files changed: A news/3209.bugfix M plone/app/dexterity/browser/modeleditor.py Repository: plone.app.dexterity Branch: refs/heads/master Date: 2020-11-16T21:17:35+01:00 Author: Maurits van Rees (mauritsvanrees) <[email protected]> Commit: plone/plone.app.dexterity@69b9c31 Merge pull request #317 from plone/maurits/cmfplone-issue-3209-lxml Modeleditor: do not resolve entities, to avoid xml vulnerabilities Files changed: A news/3209.bugfix M plone/app/dexterity/browser/modeleditor.py
- Loading branch information
1 parent
087f50f
commit 381c62e
Showing
1 changed file
with
21 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,34 +1,36 @@ | ||
| Repository: plonetheme.barceloneta | ||
| Repository: plone.app.dexterity | ||
|
|
||
|
|
||
| Branch: refs/heads/2.x | ||
| Date: 2020-11-03T22:14:47+01:00 | ||
| Author: Fred van Dijk (fredvd) <[email protected]> | ||
| Commit: https://github.com/plone/plonetheme.barceloneta/commit/2dc3aa1d7e52c2d3d61105017b32e77bcdf23e48 | ||
| Branch: refs/heads/master | ||
| Date: 2020-11-16T11:44:23+01:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <[email protected]> | ||
| Commit: https://github.com/plone/plone.app.dexterity/commit/b11b514fb7b79301a5562a6b63150553bf6ece2d | ||
|
|
||
| Also leave #edit-bar intact when copying the toolbar html into the theme using backend.xml, as was fixed two years to in the normal rules.xml | ||
| For increased security, in the modeleditor do not resolve entities, and remove processing instructions. | ||
|
|
||
| See https://github.com/plone/Products.CMFPlone/issues/3209 | ||
|
|
||
| Files changed: | ||
| A news/3191.bugfix | ||
| M plonetheme/barceloneta/theme/backend.xml | ||
| A news/3209.bugfix | ||
| M plone/app/dexterity/browser/modeleditor.py | ||
|
|
||
| b'diff --git a/news/3191.bugfix b/news/3191.bugfix\nnew file mode 100644\nindex 0000000..d56b7ff\n--- /dev/null\n+++ b/news/3191.bugfix\n@@ -0,0 +1 @@\n+Also leave #edit-bar intact when copying the toolbar html into the theme using backend.xml, as was fixed two years to in the normal rules.xml. [fredvd]\n\\ No newline at end of file\ndiff --git a/plonetheme/barceloneta/theme/backend.xml b/plonetheme/barceloneta/theme/backend.xml\nindex 3685e22..a5af5a1 100644\n--- a/plonetheme/barceloneta/theme/backend.xml\n+++ b/plonetheme/barceloneta/theme/backend.xml\n@@ -25,7 +25,7 @@\n -->\n \n <!-- Toolbar -->\n- <before css:theme-children="body" css:content-children="#edit-bar" css:if-not-content=".ajax_load" css:if-content=".userrole-authenticated" />\n+ <before css:theme-children="body" css:content="#edit-bar" css:if-not-content=".ajax_load" css:if-content=".userrole-authenticated" />\n <replace css:theme="#anonymous-actions" css:content-children="#portal-personaltools-wrapper" css:if-not-content=".ajax_load" css:if-content=".userrole-anonymous" />\n \n <!-- We don\'t want overlays -->\n' | ||
| b"diff --git a/news/3209.bugfix b/news/3209.bugfix\nnew file mode 100644\nindex 0000000..848c253\n--- /dev/null\n+++ b/news/3209.bugfix\n@@ -0,0 +1,2 @@\n+For increased security, in the modeleditor do not resolve entities, and remove processing instructions.\n+[maurits]\ndiff --git a/plone/app/dexterity/browser/modeleditor.py b/plone/app/dexterity/browser/modeleditor.py\nindex 21ecc39..c132a7a 100644\n--- a/plone/app/dexterity/browser/modeleditor.py\n+++ b/plone/app/dexterity/browser/modeleditor.py\n@@ -42,8 +42,12 @@ def __call__(self):\n source = self.request.form.get('source')\n if source:\n # Is it valid XML?\n+ # Some safety measures.\n+ # We do not want to load entities, especially file:/// entities.\n+ # Also discard processing instructions.\n+ parser = etree.XMLParser(resolve_entities=False, remove_pis=True)\n try:\n- root = etree.fromstring(source)\n+ root = etree.fromstring(source, parser=parser)\n except etree.XMLSyntaxError as e:\n return json.dumps({\n 'success': False,\n" | ||
|
|
||
| Repository: plonetheme.barceloneta | ||
| Repository: plone.app.dexterity | ||
|
|
||
|
|
||
| Branch: refs/heads/2.x | ||
| Date: 2020-11-06T16:36:41+01:00 | ||
| Author: Fred van Dijk (fredvd) <[email protected]> | ||
| Commit: https://github.com/plone/plonetheme.barceloneta/commit/c3f43c36a73660a7ca4abf038acde740e056364e | ||
| Branch: refs/heads/master | ||
| Date: 2020-11-16T21:17:35+01:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <[email protected]> | ||
| Commit: https://github.com/plone/plone.app.dexterity/commit/69b9c3121e1740fc0082f3537bf9b564372551f4 | ||
|
|
||
| Merge pull request #222 from plone/fredvd_fix_backendxml_editbar | ||
| Merge pull request #317 from plone/maurits/cmfplone-issue-3209-lxml | ||
|
|
||
| Also leave #edit-bar intact | ||
| Modeleditor: do not resolve entities, to avoid xml vulnerabilities | ||
|
|
||
| Files changed: | ||
| A news/3191.bugfix | ||
| M plonetheme/barceloneta/theme/backend.xml | ||
| A news/3209.bugfix | ||
| M plone/app/dexterity/browser/modeleditor.py | ||
|
|
||
| b'diff --git a/news/3191.bugfix b/news/3191.bugfix\nnew file mode 100644\nindex 0000000..d56b7ff\n--- /dev/null\n+++ b/news/3191.bugfix\n@@ -0,0 +1 @@\n+Also leave #edit-bar intact when copying the toolbar html into the theme using backend.xml, as was fixed two years to in the normal rules.xml. [fredvd]\n\\ No newline at end of file\ndiff --git a/plonetheme/barceloneta/theme/backend.xml b/plonetheme/barceloneta/theme/backend.xml\nindex 3685e22..a5af5a1 100644\n--- a/plonetheme/barceloneta/theme/backend.xml\n+++ b/plonetheme/barceloneta/theme/backend.xml\n@@ -25,7 +25,7 @@\n -->\n \n <!-- Toolbar -->\n- <before css:theme-children="body" css:content-children="#edit-bar" css:if-not-content=".ajax_load" css:if-content=".userrole-authenticated" />\n+ <before css:theme-children="body" css:content="#edit-bar" css:if-not-content=".ajax_load" css:if-content=".userrole-authenticated" />\n <replace css:theme="#anonymous-actions" css:content-children="#portal-personaltools-wrapper" css:if-not-content=".ajax_load" css:if-content=".userrole-anonymous" />\n \n <!-- We don\'t want overlays -->\n' | ||
| b"diff --git a/news/3209.bugfix b/news/3209.bugfix\nnew file mode 100644\nindex 0000000..848c253\n--- /dev/null\n+++ b/news/3209.bugfix\n@@ -0,0 +1,2 @@\n+For increased security, in the modeleditor do not resolve entities, and remove processing instructions.\n+[maurits]\ndiff --git a/plone/app/dexterity/browser/modeleditor.py b/plone/app/dexterity/browser/modeleditor.py\nindex 21ecc39..c132a7a 100644\n--- a/plone/app/dexterity/browser/modeleditor.py\n+++ b/plone/app/dexterity/browser/modeleditor.py\n@@ -42,8 +42,12 @@ def __call__(self):\n source = self.request.form.get('source')\n if source:\n # Is it valid XML?\n+ # Some safety measures.\n+ # We do not want to load entities, especially file:/// entities.\n+ # Also discard processing instructions.\n+ parser = etree.XMLParser(resolve_entities=False, remove_pis=True)\n try:\n- root = etree.fromstring(source)\n+ root = etree.fromstring(source, parser=parser)\n except etree.XMLSyntaxError as e:\n return json.dumps({\n 'success': False,\n" | ||
|
|