Plone 5.2.5 soft released

Plone 5.2.5 has been soft-released. Please give it a try and let me know if there are any critical issues:
https://dist.plone.org/release/5.2.5-pending/versions.cfg

For those who haven't run across soft-releases before, this is the last step before the final release. Because things haven't been finalized yet, some packages may change between now and the release. It is not recommended to use soft-releases in production.

See also the release checklist on GitHub .

The combined changelog of packages:

Zope: 4.5.5 → 4.6.2

plone.recipe.zope2instance: 6.8.3 → 6.10.0

New features:

• Allow to customize the WSGI pipeline [ale-rt, jensens] (#116)

• Add repoze.profile profiling middleware support [jensens] (#129)

• Make any ctl script python-env aware
  [sneridagh] (#162)

• Added support for Python 3.9 and restored support for Python 3.5 (needed for Zope 4)
  [dataflake] (#164)

Bug fixes:

• Enable both weekly and manual builds for GitHub Actions [jugmac00] (#169)

• Fix unsupported syntax in the requirements files which prevented to evaluate
  the specified constraints during test runs [jugmac00]. (#171)

• Applied code style black and isort with Plone/black rules, includes tox/GH-Actions [jensens] (#175)

• Fixed $PYTHONSTARTUP file support for the debug command under Python 3
  [dataflake] (#167)

i18ndude: 5.3.4 → 5.4.0

New features:

• i18ndude rebuild-pot --exclude="name1 name2" now also accepts directory names for exclusion.
  Excluding a directory name will exclude all files in and below the given directory,
  but only if the directory name exactly matches a exclusion name (no globs, no substring match).
  This change now also results in the hardcoded exclusions for 'tests' and 'docs' to actually work. (#86)

Bug fixes:

• Test with GitHub Actions instead of Travis CI.
  [maurits] (#83)

• Support Python 3.9. No code changes were needed.
  [maurits] (#83)

• Do not raise AttributeError when content is None. (#84)

Products.ExternalMethod: 4.4 → 4.5

• update configuration for version 5 of isort

• add support for Python 3.9

Products.PythonScripts: 4.12 → 4.13

• make sure "Manager" users can always modify proxy roles
  (#50 <https://github.com/zopefoundation/Products.PythonScripts/issues/50>_)

• add support for Python 3.9

• update configuration for version 5 of isort

diazo: 1.4.0 → 1.4.1

Bug fixes:

• Fix problems with tox4 and simplify tox and test setup.
  [loechel] (#80)

mockup: 3.2.5 → 3.2.6

Bug fixes:

• Remove fonts from patterns to avoid multiple inline includes.
  [agitator] (#1042)

Plone: 5.2.4 → 5.2.5

Bug fixes:

• Release Plone 5.2.5 final
  [maurits]

plone.api: 1.10.4 → 1.11.0

New features:

• Drop support for Plone 4.3, 5.0, 5.1, add support for 6.0.
  The code might still work, but it is no longer tested.
  You can use releases in the 1.10 series on the older versions.
  [maurits] (#431)

Bug fixes:

• Add tests to verify that the intids utility is correct after moving content.
  [ale-rt, maurits] (#430)

• Improve tox.ini so that plone.api could be tested locally.
  Add all tests to travis-ci config.
  Add .editorconfig file to plone.api to help enforce coding conventions
  [loechel] (#448)

• Fix plone.api.content.find to respect object_provides "not" queries.
  Fixes: #451
  [thet] (#452)

plone.app.content: 3.8.7 → 3.8.8

Bug fixes:

• Allow to use the @@getSource view when we are in an add form and we do not have the "Modify portal content" permission (#221)

• Call fileUpload view explict with @@ to avoid possible plone.rest clashes.
  [jensens] (#225)

• Fixed stored XSS in folder contents.
  From the PloneHotfix20210518 contents fix <https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents>_.
  [maurits] (#3274)

• Fixed stored XSS from user fullname and possibly other places where getVocabulary is called.
  This is an alternative to the plone.app.users workaround from the PloneHotfix20210518 fullname fix <https://plone.org/security/hotfix/20210518/stored-xss-from-user-fullname>_.
  [maurits] (#3274)

plone.app.contentmenu: 2.3.2 → 2.3.3

Bug fixes:

• Updated README.rst.
  [ksuess, jensens] (#1)

plone.app.event: 3.2.10 → 3.2.12

Bug fixes:

• Do not allow file: protocol in ical url.
  Previously, only file:// was disallowed, but this left room for relative paths.
  Taken over from PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url>_.
  [maurits] (#3274)

• Fix #330 traversal problem in the portlet_events template when an object in a folder is called "image" (backport from master)
  [sneridagh] (#330)

• Fix events portlet error when rendering with thumbnails suppressed [alecpm] (#332)

plone.app.iterate: 3.3.15 → 4.0.1

New features:

• Add proper support for DX folderish content
  [sneridagh] (#92)

Bug fixes:

• Fix checkin/checkout process for containers, since there was an annotation left to "reset" (pos) on checkout and it broke the sections viewlet
  [sneridagh] (#93)

• Do not break if some custom code provides an alias for Products.Archetypes (#85)

• Black and pep8 compliance
  [sneridagh] (#88)

• Update relations on Check-In WorkingCopy, by trigger an ObjectModifiedEvent event
  black and flake8 formatting
  [2silver] (#89)

plone.app.locales: 5.1.28 → 5.1.29

• Update Dutch translations.
  [fredvd]

• Fix German translations.
  [pbauer]

• Fix French translations.
  [boulch, laulaz]

plone.app.portlets: 4.4.6 → 4.4.7

Bug fixes:

• Only allow http and https urls in RSS portlet.
  From Products.PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/blind-ssrf-via-feedparser-accessing-an-internal-url>_.
  [maurits] (#3274)

plone.app.theming: 4.1.6 → 4.1.7

Bug fixes:

• Avoid Server Side Request Forgery via lxml parser.
  Taken over from PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-lxml-parser>_.
  [maurits] (#3274)

plone.app.upgrade: 2.0.38 → 2.0.39

Bug fixes:

• Added upgrade to 5213, Plone 5.2.5.
  [maurits] (#525)

plone.app.viewletmanager: 3.1.1 → 3.1.2

Bug fixes:

• tweak wording ("unhide" vs. "show" viewlets), remove old Trac reference (#23)

plone.contentrules: 2.1.0 → 2.1.2

Bug fixes:

• Fixed another deprecation warning for ObjectEvent from zope.component.
  [maurits] (#3130)

• Fix fields in the interface IRuleConfiguration: enabled, stop and cascading are not required. [andreesg] (#11)

plone.dexterity: 2.10.0 → 2.10.2

Bug fixes:

• Fix export/import of content in Python 3.
  Fixes issue 124 <https://github.com/plone/plone.dexterity/issues/124>_.
  Also fixes the tests in combination with newest Products.GenericSetup 2.1.2.
  [maurits] (#124)

• Officially support Plone 6.0 and Python 3.9.
  No code changes.
  [maurits] (#1)

plone.folder: 3.0.3 → 3.1.0

New features:

• Restore webdav support [frapell] (#16)

plone.formwidget.namedfile: 2.1.0 → 2.1.2

Bug fixes:

• Fix issue where already uploaded images were lost when file validation error occurs (Broken image saved on form validation error · Issue #46 · plone/plone.formwidget.namedfile · GitHub) [fRiSi] (#46)

• Fix NamedFileWidget bug when trying to create value from None. [vangheem] (#35)

• Don't check for hard coded image size in test.
  [agitator] (#40)

plone.memoize: 2.1.0 → 2.1.1

Bug fixes:

• Work in a FIPS enabled environment by using SHA1 instead of MD5 for computing the cache key. [frapell] (#25)

plone.namedfile: 5.4.0 → 5.5.1

New features:

• Prevent stored XSS from file upload (svg, html).
  Do this by implementing an allowlist of trusted mimetypes.
  You can turn this around by using a denylist of just svg, html and javascript.
  Do this by setting OS environment variable NAMEDFILE_USE_DENYLIST=1.
  From Products.PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots>_.
  [maurits] (#3274)

Bug fixes:

• Cache stable image scales strongly.
  When plone.app.imaging is available, this is already done.
  Otherwise, we should do this ourselves.
  Fixes issue 100 <https://github.com/plone/plone.namedfile/issues/100>_.
  [maurits] (#100)

plone.registry: 1.1.6 → 1.2.1

New features:

• Allow plone.schema.JSONField be stored in registry (as dict-like)
  [sneridagh] (#719)

Bug fixes:

• Fix registry key validation regexp.
  [jensens] (#23)

plone.resource: 2.1.3 → 2.1.4

Bug fixes:

• Do not throw an error when traversing to a FilesystemResourceDirectory (#31)

plone.restapi: 7.0.0 → 7.3.8

New features:

• Adjust JSONField adapter to include widget name to use in serialization
  [sneridagh] (#1089)

• Allow block transforms to run in "subblocks", discovered as the blocks field (or alternatively, data.blocks) in a block value. (#1085)

• Allow passing use_site_search_settings=1 in the @search endpoint request, to follow Plone's ISearchSchema settings. (#1081)

Bug fixes:

• Fix navigation endpoint sort by adding default sort_on='getObjPositionInParent' to the query. @valipod @tiberiuichim (#1107)

• Fix startup on Plone 4 without plone.app.contenttypes.
  [maurits] (#1166)

• Fix error in Plone 4.3 that installed the blocks profile when installing the package, instead of the default profile. Fix #895 <https://github.com/plone/plone.restapi/issues/895> [wesleybl] (#895)

• Fixed a deprecation warning when importing UnrestrictedUser from AccessControl (#1129)

• Fix @workflow when executing user has no permissions to access review_history in target state.
  [deiferni] (#999)

• Fix @history when full history is empty.
  [deiferni] (#1113)

• Fix @querystring-search endpoint with correct sort_order
  @mamico (#1108)

• Fix @search endpoint with use_site_search_settings flag, for VHM PhysicalRoot scenarios
  @tiberiuichim (#1105)

• Fixes if old p.schema is used
  [sneridagh] (#1103)

• Fixes build was using the released version
  [sneridagh] (#1090)

• @contextnavigation endpoint does not honor nav_title index
  [sneridagh] (#1092)

• Do not log "No such index" warnings for knonw indexes like metadata_fields @cekk (#987)

• Respect "Access inactive portal content" permission in @search endpoint [cekk] (#1066)

• Add GSM unsubscribe for test registered adapters in block transformer tests @tiberiuichim (#1083)

• Pin some package versions to fix buildout @tiberiuichim (#1086)

• Re-release 7.3.6 since it was a brown bag release.

plone.schema: 1.2.1 → 1.3.0

New features:

• Adjust JSONField to include widget name
  [sneridagh] (#10)

plone.schemaeditor: 3.0.2 → 3.0.3

Bug fixes:

• Make test 'Add a choice field with a named vocabulary' more robust.
  [wesleybl] (#84)

plone.staticresources: 1.4.2 → 1.4.3

Bug fixes:

• Reduce bundle sizes by not inlining fonts in each bundle - moved plone-fontello and glyphicons to their own bundle. Icon font bundles use fonts from ++plone++static/fonts/.
  Based on mockup 1.2.6.
  [agitator] (#131)

plone.testing: 8.0.2 → 8.0.3

Bug fixes:

• fix waitress deprecation warning (#77)

• Catch OSError in test teardown when removing a temporary directory.
  Fixes issue 79 <https://github.com/plone/plone.testing/issues/79>_.
  [maurits] (#79)

Products.CMFCore: 2.5.0 → 2.5.4

• Fix code and tests when running on Products.GenericSetup >= 2.1.2, thus
  requiring at least that version.

• Do not break at startup when subscribers.zcml is included but no
  portal_catalog object is in the database, e. g. when starting for the
  first time.
  (#115 <https://github.com/zopefoundation/Products.CMFCore/pull/115>_)

• Avoid DeprecationWarning for changed import location for rfc1123_date

• Fix several DeprecationWarnings during unit tests
  (#112 <https://github.com/zopefoundation/Products.CMFCore/issues/112>_)

• Set Cache-Control header in '304 Not Modified' response case as well.
  (#111 <https://github.com/zopefoundation/Products.CMFCore/issues/111>_)

• Make sure getSkinNameFromRequest only returns sane values
  (#109 <https://github.com/zopefoundation/Products.CMFCore/issues/109>_)

• Fix Python 3 incompatibility in CookieCrumbler.credentialsChanged

Products.CMFDiffTool: 3.3.2 → 3.3.3

Bug fixes:

• Added XSS fix from PloneHotfix20210518 for inline diff.
  See vulnerability <https://plone.org/security/hotfix/20210518/xss-vulnerability-in-cmfdifftool>_.
  The first version of the hotfix escaped all html.
  Now for the rich text field, use the safe html transform, otherwise the inline diff is no longer inline.
  [maurits] (#39)

Products.CMFPlone: 5.2.4 → 5.2.5rc1

New features:

• Add PLONE52MARKER Python marker
  [sneridagh] (#3257)

Bug fixes:

• Removed the docstring from various methods to avoid making them available via a url.
  From the Products.PloneHotfix20210518 reflected XSS fix <https://plone.org/security/hotfix/20210518/reflected-xss-in-various-spots>_.
  [maurits] (#3274)

• Add the remote code execution fix from the Products.PloneHotfix20210518 expressions patch <https://plone.org/security/hotfix/20210518/remote-code-execution-via-traversal-in-expressions>_.
  We need this because Zope 4.6.2 is too strict for us.
  [maurits] (#3274)

Products.DCWorkflow: 2.4.1 → 2.5.0

New features:

• Add support for Python 3.9.

Bug fixes:

• Avoid a deprecation warning when importing gather_permissions
  (#20 <https://github.com/zopefoundation/Products.DCWorkflow/issues/20>_)

• Avoid a TypeError when adding a managed group to a workflow
  (#18 <https://github.com/zopefoundation/Products.DCWorkflow/issues/18>_)

Products.GenericSetup: 2.1.1 → 2.1.3

• Fix Issue #83 where empty Versions caused an Error [gogobd]

• Document and fix behavior of methods that open/read/write filesystem files
  (#107 <https://github.com/zopefoundation/Products.GenericSetup/issues/107>_)

• Fix snapshot comparisons under Python 3
  (#85 <https://github.com/zopefoundation/Products.GenericSetup/issues/85>_)

Products.PlonePAS: 6.0.7 → 6.0.8

Bug fixes:

• Fixed tests for cookie auth to also work with zope.interface 5.3.0.
  This uses simpler representations for interfaces.
  Tests now pass with earlier and later versions.
  [maurits] (#237)

Products.PluggableAuthService: 2.6.1 → 2.6.4

• Fix method signature of PluggableAuthService._setObject
  (#95 <https://github.com/zopefoundation/Products.PluggableAuthService/issues/95>_)

• Fix tests when running on Products.GenericSetup >= 2.1.2, thus requiring
  at least that version.

• ZMI: use flexbox for twolist macro, fixes removing roles in Safari browser.
  (#91 <https://github.com/zopefoundation/Products.PluggableAuthService/issues/91>_)

• Fix CSRF token access for tigher TAL path expression security in Zope 5.2.1
  (#99 <https://github.com/zopefoundation/Products.PluggableAuthService/issues/99>_)

• Changed adding object gui to modal window

• Handle login issues for cookie based login when came_from is missing
  (#65 <https://github.com/zopefoundation/Products.PluggableAuthService/issues/65>_)

• Tighten down security on several login string transformation methods
  (#88 <https://github.com/zopefoundation/Products.PluggableAuthService/issues/88>_)

Products.PluginRegistry: 1.8 → 1.9

• add support for Python 3.9

• change package structure to move package code into a src subfolder

Products.PortalTransforms: 3.1.10 → 3.1.11

Bug fixes:

• Split method cleaner_options off from scrub_html in safe_html transform.
  This makes it easier to monkey patch or subclass.
  [maurits] (#44)

• REST transform: ignore warnings and stylesheet keyword arguments.
  They can be abused.
  From Products.PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script>_.
  [maurits] (#3274)

Products.Sessions: 4.8 → 4.9

• Add support for Python 3.9

Products.SiteErrorLog: 5.4 → 5.5

• Add support for Python 3.9

• Update configuration for version 5 of isort

plone.app.versioningbehavior: 1.4.2 → 1.4.3

Bug fixes:

• Fix issue where versioning dynamic content types with blob fields broke after a schema update due to change in dynamic schema identifiers since plone.dexterity >= 2.10.0
  [datakurre] (#57)

plone.app.blocks: 4.3.2 → 5.0.0

plone.app.imaging: 2.1.1 → 2.1.2

Bug fixes:

• Fix traversal handling of subobjects with ids that may also be image scales.
  [rpatterson]

Products.Archetypes: 1.16.4 → 1.16.5

Bug fixes:

• Fixed incompatibility with zope.component 5.
  zope.component.interfaces has long been a backwards compatibility import for zope.interface.interfaces, but not anymore.
  [maurits] (#462)

Changes that I still expect (apart from me adding release notes, and copying packages):

• Zope 4.6.3 release, where the biggest change is a new AccessControl with a security fix. The fixed version 4.3 is already in our versions.cfg. There should be a post on the forum about the release and the fix once the Zope release is out, which should be soon.
• A new Products.isurlinportal release, with a minor security fix. That will probably be early next week.
• Maybe new mockup and plone.staticresources releases. There is a small fix in mockup, but I don't see any effect when I try to take over this change in plone.staticresources. I am no expert on those packages though, so I could be wrong. If someone can have a look, that would help.

I have added Zope 4.6.3 and Products.isurlinportal 1.2.0.

Thanks! I tested it with 2 projects and everything seemed to work fine.

I tested it with on the test server of the Austrian Architectural Forum and all looks good so far!

Testing easyform to email stop working

Thanks for the release!
The PloneIntranet test suite runs fine with Plone 5.2.5.
I am using 5.2.5 while developing and so far I did not notice anything strange!

I can confirm!
You can see the problem by going to the form actions. The standard Mailer object is not selected, so it is not active:

And when I select it and click Save, it has no effect...

Might be fixable in collective.easyform.
But the root cause is that zope.schema was upgraded from 6.0.0 to 6.1.0.
This version changed set the default of IField.required to False. See issue 104 and PR 105, which include earlier reports of problems, which mostly have been fixed.
With this latest report about this causing problems in easyform, it seems best to keep Plone 5.2 on the older zope.schema 6.0.0. I will make a PR first.

@mactrash Can you try with zope.schema = 6.0.0?

Confirm

Tag zope.schema = 6.0.0

Will work for easyform issue.

Thanks

I have updated the versions and constraints in the 5.2.5-pending directory to use zope.schema 6.0.0.

I have made the 5.2.5 release final:

https://dist.plone.org/release/5.2.5/versions.cfg