Security patch released 20210518

Plone 4.0, 4.1 and 4.2 are not supported.

This fix is only loaded when plone.supermodel is available, which is not standard on Plone 4.0.

For most fixes in the hotfix, we override a method by calling a few lines of extra code, and then calling the original function. In this part of the hotfix this was not possible, so we copied the code from the latest version and fixed it there. We took care so it worked with everything from Plone 4.3 till 5.2, even including 4.3.0 if I did my job well. I don't see it happen that we adapt the hotfix to work for even earlier versions.

This is okay: if the modeleditor does not exist, then it needs no fix.

When I see it correctly, this version of plone.namedfile is not vulnerable. You can try it out by uploading an html file and viewing this with /@@display-file at the end of the URL. This should result in a download, otherwise you are vulnerable.

We have seen various Unauthorized issues related to security patch on expression traversal (expressions.py). One of them from oldish plone.app.discussions 2.4.20 on Plone 5.0:

Module Products.Five.browser.pagetemplatefile, line 125, in __call__
Module Products.Five.browser.pagetemplatefile, line 59, in __call__
Module zope.pagetemplate.pagetemplate, line 132, in pt_render
Module five.pt.engine, line 98, in __call__
Module z3c.pt.pagetemplate, line 163, in render
Module chameleon.zpt.template, line 261, in render
Module chameleon.template, line 191, in render
Module chameleon.template, line 171, in render
Module 2c6e66f202bf032e7210f72aecab5c7e, line 594, in render
Module five.pt.expressions, line 154, in __call__
Module Products.PloneHotfix20210518.expressions, line 46, in traverse
Module five.pt.expressions, line 123, in traverse
Module OFS.Traversable, line 317, in restrictedTraverse
Module OFS.Traversable, line 251, in unrestrictedTraverse
__traceback_info__: ([], 'author_name')
Unauthorized: You are not allowed to access 'author_name' in this context - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/comments.pt - Location: (line 55: col 49) - Source: alt reply/author_name" />

I'm am not sure if this is just our old weird setup or does the patch (expressions.py) really have a some effect for security checks. I'm investigating this and will update once I know more.

Verbose security is more telling

Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'author_name' of (plone.app.discussion.comment.Comment object at 0x7efe50f0e488) denied. Your user account, atsoukka, exists at /Plone/acl_users. Access requires View_Permission, granted to the following roles: ['Editor', 'Manager', 'Owner', 'Reader', 'Reviewer', 'Site Administrator']. - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/comments.pt - Location: (line 55: col 49) - Source: alt reply/author_name" />

Sure this could be due to bad old code breaking acquisition chain already before this patch. The curious thing is, why this works without the patch.

Somehow unrestrictedTraverse gets changed into restrictedTraverse when patch calls the original traverse at the end.

Update:

Patch patching five.pt's BoboAwareZopeTraverse inadvertently(?) changes TrustedBoboAwareZopeTraverse to use restrictedTraverse instead of unrestrictedTraverse. I assume that this is the same for merged five.pt features in Products.PageTemplate.

Might this be related to five.pt. We also noticed something like that in a Plone 5.1 site.

Yes, in your traceback the fallback is hit (expressions line 46), so it's not the actual patch that's the problem, but the fallback. It's similar in the installation that @alert mentioned.

@reinhardt Got it. Patch patching five.pt's BoboAwareZopeTraverse inadvertently(?) changes TrustedBoboAwareZopeTraverse to use restrictedTraverse instead of unrestrictedTraverse.

Remaining question: is this by purpose or is it safe to let TrustedBoboAwareZopeTraverse to use unrestrictedTraverse?

2 Likes

Good find! The @classmethod probably tripped us up.
This is by accident:TrustedBoboAwareZopeTraverse should act the same with or without the hotfix.
We will be working on an update. (Short on time and away from keyboard the next few hours though.)

3 Likes

Just adding this for completeness:

Testing this on our Plone 4.3.19 setup but can't find anything breaking on forms there

@@historyview ( Insufficient Privileges) and easyForm (actions, fields, submissions) broken by the patch

There is a version 1.2 of the hotfix: Products.PloneHotfix20210518 · PyPI
New zip is up on plone.org. You may need to add a cache busting parameter to get a fresh version:
https://plone.org/security/hotfix/20210518/@@download/hotfix?x=222

What it fixes:

  • various Unauthorized errors, for example for the historyview page
  • a NotFound error when submitting a PloneFormGen form, and maybe similar situations
7 Likes

Version 1.2 fixes our Unauthorized issues! Thank you so much!

Thanks to the Security Team for the patch.

Please note that the link on https://plone.org/security/hotfix/20210518 says it's 1.2 but the file that comes down is 1.1

I get PloneHotfix20210518-1.2.zip when I click the link https://plone.org/security/hotfix/20210518/@@download/hotfix

However the README.txt has content with the following heading at the top, even though the rest of the content seems correct (the output log is two days old, so maybe not):

Plone hotfix, 2020-01-21
========================
1 Like

It's a caching issue, I'm getting 1.1 when I click the link.
Something as simple as adding a trailing query for cache busting solves it:
https://plone.org/security/hotfix/20210518/@@download/hotfix/?busted

Ideally this should be addressed.

1 Like

Yes, please read the above :slight_smile: ^^

Hint: why just don't do it in the link, for example:
https://plone.org/security/hotfix/20210518/@@download/hotfix?version=1.2

or, better, the md5sum:

https://plone.org/security/hotfix/20210518/@@download/hotfix?md5sum=a20edade8eaf1977a99102fdea1bd049
?

2 Likes

The content type for a hotfix behaves correctly but we have something in the stack that is over-caching, and we have tried purging unsuccessfully.

Seriously? Gah, I need to brush up on my search-and-replace skills. The project description on PyPI also has the wrong date.

I have fixed it in the code now. If we ever get a 1.3 version, you will see the correct dates. :slight_smile:

2 Likes

Before zest.releaser (thanks for that :beers:) there was a time where I used python setup.py <command> to push things to PyPI:

I think that running:

python setup.py register

will fix the PyPI page. IIRC I used it to fix pages with a broken rst syntax.

I think you can even test it with:

python setup.py register -r https://test.pypi.org/

https://pythonhosted.org/an_example_pypi_project/setuptools.html#using-setup-py

I do not know if that still works, a lot of years have passed :slight_smile:

3 Likes

Version 1.2 might worth to send announcement

We noticed in our setup, that the behavior of the history diff view has changed:

Plone 5.2.1 (without hotfix)

Plone 5.2.1 (with hotfix)

After the hotfix all markup is escaped, whereas the XSS vulnerability description only refers to script tags.
I was wondering if this was so intended? Because this seems to be yet another code-diff view, which might confuse users.

We also made the same observation for Plone 4.x installations.

2 Likes