Hotfix20151006 for Plone 4.3.9

http://dist.plone.org/release/4.3.9/versions.cfg has
...
plone4.csrffixes = 1.0.9
...

But security hotfix page https://plone.org/security/20151006 says that 4.3.9 needs:

[buildout]
...
eggs =
plone4.csrffixes==1.0.8
....

The hotfix has been incorporated in 4.3.9 so the page needs to be updated.

Holden

Thanks for the heads up. I have edited the page.

The situation on Plone 4.3.9 is a bit tricky. I have tried explaining this in a few other posts on this forum. I have now updated the page in a hopefully clear way. I'll include the relevant bit below.

Plone 4.3.9 and higher

The hotfix is partially included in Plone 4.3.9. The biggest part that is missing by default is plone.protect version 3.x. This is the part that is doing the actual automatic csrf protection. By default we stick to plone.protect version 2.x. The reason is that this can be overly aggressive, as explained in the advisory linked above. So we want inclusion of this hotfix to remain an explicit decision made by you.

The plone4.csrffixes package can still be used on Plone 4.3.9 and higher, but the fixes that it contains to avoid most of the aggressiveness have been incorporated in the core packages of Plone 4.3.9. To use the automatic csrf protection, you only need to update plone.protect to the latest version in the 3.x range.

So to include the extra protection on Plone 4.3.9 and higher, which is still recommended, open the buildout.cfg file in your editor, scroll down to the [versions] section of the buildout and add the following::

[versions]
...
plone.protect = 3.0.18

Thank you for the clarification. Yes I noticed the aggressive csrf protection in higher versions. Having the option for conservative or agressive implementation is good.

Holden

Plone Foundation Code of Conduct