Security patch released 20210518

Watch out for possible problems installing any package when you setuptools or Python is too old. See Pypi Deprecation of support for non-SNI clients breaks buildout for older Plone versions

For the record and completeness-sake (I already posted in Slack and gitter), we have installed this patch by accident in an ancient Plone 3.3.x that uses Products.Collage as a homepage and it has broken the site. Plone 3.3.x is not supported by the patch but if you install it by accident it may break your site.

It would be also awesome to clearly mention whether Zope is affected or not. I received the news after end of working day, and on my smartphone I have no chance to unpack the packed download and have a look at the source.

Is there a GitHub repo for the security fixes?

I have three Plone 4.0 sites, and all three show a few errors on startup with the hotfix. They all have this one in common:

2021-05-18T10:01:05 ERROR Products.PloneHotfix20210518 Could not apply supermodel                                                                                       
Traceback (most recent call last):                                                                                                                                        File "/usr/local/plone-4.0/zeoserver/products/PloneHotfix20210518/__init__.py", line 71, in <module>
__import__("Products.PloneHotfix20210518.%s" % hotfix)
  File "/usr/local/plone-4.0/zeoserver/products/PloneHotfix20210518/supermodel.py", line 5, in <module>
from plone.supermodel.debug import parseinfo                                                                                                                        ImportError: No module named debug                                                                                                                                      
------
2021-05-18T10:01:06 INFO Products.PloneHotfix20210518 Applied portlets patch

In addition, two of those Plone 4.0 sites also show these two tracebacks, which is also present on a Plone 4.3.20 site:

2021-05-18T10:54:52 INFO Products.PloneHotfix20210518 Applied difftool patch
------
2021-05-18T10:54:52 ERROR Products.PloneHotfix20210518 Could not apply modeleditor
Traceback (most recent call last):
  File "/usr/local/plone-4.3/zeoserver/products/PloneHotfix20210518/__init__.py", line 71, in <module>                                                                  
    __import__("Products.PloneHotfix20210518.%s" % hotfix)                                                                                                                File "/usr/local/plone-4.3/zeoserver/products/PloneHotfix20210518/modeleditor.py", line 4, in <module>
    from plone.app.dexterity.browser.modeleditor import AjaxSaveHandler
ImportError: No module named modeleditor
------                                                                                                                                                                  2021-05-18T10:54:53 ERROR Products.PloneHotfix20210518 Could not apply namedfile
Traceback (most recent call last):
  File "/usr/local/plone-4.3/zeoserver/products/PloneHotfix20210518/__init__.py", line 71, in <module>
    __import__("Products.PloneHotfix20210518.%s" % hotfix)
  File "/usr/local/plone-4.3/zeoserver/products/PloneHotfix20210518/namedfile.py", line 20, in <module>                                                                 
    Download._orig_set_headers = Download.set_headers                                                                                                                   AttributeError: type object 'Download' has no attribute 'set_headers'
------
2021-05-18T10:54:53 INFO Products.PloneHotfix20210518 Applied pa_users patch                                                                                            
------  

Other than logging these errors, the patch does not seem to break anything on my 4.0, 4.2 and 4.3 sites.

There is a version 1.1 of the hotfix: Products.PloneHotfix20210518 · PyPI
New zip is up on plone.org. You may need to add a cache busting parameter to get a fresh version:
https://plone.org/security/hotfix/20210518/@@download/hotfix?x=1

Yes, but it is not public

Some of the fixes are applicable to plain Zope, and perhaps a few extra to CMF. The hotfix tries to be smart about this, only loading Plone fixes when Products.CMFPlone is in the packages.

The biggest vulnerability is a remote code execution which is in core Zope, so I advice to try it out. I expect this fix to land in Zope soon.

We might make a few different choices than the Zope people though. For example, CMFPlone 5.2.4 patches a few Zope functions to make them unavailable via a URL, and this will not be done in Zope core. BTW, this particular patch does not actually work on Python 3, and this is one of the things that today's hotfix addresses.

1 Like

Plone 4.0, 4.1 and 4.2 are not supported.

This fix is only loaded when plone.supermodel is available, which is not standard on Plone 4.0.

For most fixes in the hotfix, we override a method by calling a few lines of extra code, and then calling the original function. In this part of the hotfix this was not possible, so we copied the code from the latest version and fixed it there. We took care so it worked with everything from Plone 4.3 till 5.2, even including 4.3.0 if I did my job well. I don't see it happen that we adapt the hotfix to work for even earlier versions.

This is okay: if the modeleditor does not exist, then it needs no fix.

When I see it correctly, this version of plone.namedfile is not vulnerable. You can try it out by uploading an html file and viewing this with /@@display-file at the end of the URL. This should result in a download, otherwise you are vulnerable.

We have seen various Unauthorized issues related to security patch on expression traversal (expressions.py). One of them from oldish plone.app.discussions 2.4.20 on Plone 5.0:

Module Products.Five.browser.pagetemplatefile, line 125, in __call__
Module Products.Five.browser.pagetemplatefile, line 59, in __call__
Module zope.pagetemplate.pagetemplate, line 132, in pt_render
Module five.pt.engine, line 98, in __call__
Module z3c.pt.pagetemplate, line 163, in render
Module chameleon.zpt.template, line 261, in render
Module chameleon.template, line 191, in render
Module chameleon.template, line 171, in render
Module 2c6e66f202bf032e7210f72aecab5c7e, line 594, in render
Module five.pt.expressions, line 154, in __call__
Module Products.PloneHotfix20210518.expressions, line 46, in traverse
Module five.pt.expressions, line 123, in traverse
Module OFS.Traversable, line 317, in restrictedTraverse
Module OFS.Traversable, line 251, in unrestrictedTraverse
__traceback_info__: ([], 'author_name')
Unauthorized: You are not allowed to access 'author_name' in this context - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/comments.pt - Location: (line 55: col 49) - Source: alt reply/author_name" />

I'm am not sure if this is just our old weird setup or does the patch (expressions.py) really have a some effect for security checks. I'm investigating this and will update once I know more.

Verbose security is more telling

Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'author_name' of (plone.app.discussion.comment.Comment object at 0x7efe50f0e488) denied. Your user account, atsoukka, exists at /Plone/acl_users. Access requires View_Permission, granted to the following roles: ['Editor', 'Manager', 'Owner', 'Reader', 'Reviewer', 'Site Administrator']. - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/comments.pt - Location: (line 55: col 49) - Source: alt reply/author_name" />

Sure this could be due to bad old code breaking acquisition chain already before this patch. The curious thing is, why this works without the patch.

Somehow unrestrictedTraverse gets changed into restrictedTraverse when patch calls the original traverse at the end.

Update:

Patch patching five.pt's BoboAwareZopeTraverse inadvertently(?) changes TrustedBoboAwareZopeTraverse to use restrictedTraverse instead of unrestrictedTraverse. I assume that this is the same for merged five.pt features in Products.PageTemplate.

Might this be related to five.pt. We also noticed something like that in a Plone 5.1 site.

Yes, in your traceback the fallback is hit (expressions line 46), so it's not the actual patch that's the problem, but the fallback. It's similar in the installation that @alert mentioned.

@reinhardt Got it. Patch patching five.pt's BoboAwareZopeTraverse inadvertently(?) changes TrustedBoboAwareZopeTraverse to use restrictedTraverse instead of unrestrictedTraverse.

Remaining question: is this by purpose or is it safe to let TrustedBoboAwareZopeTraverse to use unrestrictedTraverse?

2 Likes

Good find! The @classmethod probably tripped us up.
This is by accident:TrustedBoboAwareZopeTraverse should act the same with or without the hotfix.
We will be working on an update. (Short on time and away from keyboard the next few hours though.)

3 Likes

Just adding this for completeness:

Testing this on our Plone 4.3.19 setup but can't find anything breaking on forms there

@@historyview ( Insufficient Privileges) and easyForm (actions, fields, submissions) broken by the patch

There is a version 1.2 of the hotfix: Products.PloneHotfix20210518 · PyPI
New zip is up on plone.org. You may need to add a cache busting parameter to get a fresh version:
https://plone.org/security/hotfix/20210518/@@download/hotfix?x=222

What it fixes:

  • various Unauthorized errors, for example for the historyview page
  • a NotFound error when submitting a PloneFormGen form, and maybe similar situations
7 Likes

Version 1.2 fixes our Unauthorized issues! Thank you so much!

Thanks to the Security Team for the patch.

Please note that the link on https://plone.org/security/hotfix/20210518 says it's 1.2 but the file that comes down is 1.1

I get PloneHotfix20210518-1.2.zip when I click the link https://plone.org/security/hotfix/20210518/@@download/hotfix

However the README.txt has content with the following heading at the top, even though the rest of the content seems correct (the output log is two days old, so maybe not):

Plone hotfix, 2020-01-21
========================
1 Like

Plone Foundation Code of Conduct