Security patch released 20210518

Plone 4.0, 4.1 and 4.2 are not supported.

This fix is only loaded when plone.supermodel is available, which is not standard on Plone 4.0.

For most fixes in the hotfix, we override a method by calling a few lines of extra code, and then calling the original function. In this part of the hotfix this was not possible, so we copied the code from the latest version and fixed it there. We took care so it worked with everything from Plone 4.3 till 5.2, even including 4.3.0 if I did my job well. I don't see it happen that we adapt the hotfix to work for even earlier versions.

This is okay: if the modeleditor does not exist, then it needs no fix.

When I see it correctly, this version of plone.namedfile is not vulnerable. You can try it out by uploading an html file and viewing this with /@@display-file at the end of the URL. This should result in a download, otherwise you are vulnerable.

We have seen various Unauthorized issues related to security patch on expression traversal ( One of them from oldish 2.4.20 on Plone 5.0:

Module Products.Five.browser.pagetemplatefile, line 125, in __call__
Module Products.Five.browser.pagetemplatefile, line 59, in __call__
Module zope.pagetemplate.pagetemplate, line 132, in pt_render
Module, line 98, in __call__
Module, line 163, in render
Module chameleon.zpt.template, line 261, in render
Module chameleon.template, line 191, in render
Module chameleon.template, line 171, in render
Module 2c6e66f202bf032e7210f72aecab5c7e, line 594, in render
Module, line 154, in __call__
Module Products.PloneHotfix20210518.expressions, line 46, in traverse
Module, line 123, in traverse
Module OFS.Traversable, line 317, in restrictedTraverse
Module OFS.Traversable, line 251, in unrestrictedTraverse
__traceback_info__: ([], 'author_name')
Unauthorized: You are not allowed to access 'author_name' in this context - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/ - Location: (line 55: col 49) - Source: alt reply/author_name" />

I'm am not sure if this is just our old weird setup or does the patch ( really have a some effect for security checks. I'm investigating this and will update once I know more.

Verbose security is more telling

Unauthorized: Your user account is defined outside the context of the object being accessed. Access to 'author_name' of ( object at 0x7efe50f0e488) denied. Your user account, atsoukka, exists at /Plone/acl_users. Access requires View_Permission, granted to the following roles: ['Editor', 'Manager', 'Owner', 'Reader', 'Reviewer', 'Site Administrator']. - Expression: "reply/author_name" - Filename: ... .4.20-py2.7.egg/plone/app/discussion/browser/ - Location: (line 55: col 49) - Source: alt reply/author_name" />

Sure this could be due to bad old code breaking acquisition chain already before this patch. The curious thing is, why this works without the patch.

Somehow unrestrictedTraverse gets changed into restrictedTraverse when patch calls the original traverse at the end.


Patch patching's BoboAwareZopeTraverse inadvertently(?) changes TrustedBoboAwareZopeTraverse to use restrictedTraverse instead of unrestrictedTraverse. I assume that this is the same for merged features in Products.PageTemplate.

Might this be related to We also noticed something like that in a Plone 5.1 site.

Yes, in your traceback the fallback is hit (expressions line 46), so it's not the actual patch that's the problem, but the fallback. It's similar in the installation that @alert mentioned.

@reinhardt Got it. Patch patching's BoboAwareZopeTraverse inadvertently(?) changes TrustedBoboAwareZopeTraverse to use restrictedTraverse instead of unrestrictedTraverse.

Remaining question: is this by purpose or is it safe to let TrustedBoboAwareZopeTraverse to use unrestrictedTraverse?


Good find! The @classmethod probably tripped us up.
This is by accident:TrustedBoboAwareZopeTraverse should act the same with or without the hotfix.
We will be working on an update. (Short on time and away from keyboard the next few hours though.)


Just adding this for completeness:

Testing this on our Plone 4.3.19 setup but can't find anything breaking on forms there

@@historyview ( Insufficient Privileges) and easyForm (actions, fields, submissions) broken by the patch

There is a version 1.2 of the hotfix: Products.PloneHotfix20210518 · PyPI
New zip is up on You may need to add a cache busting parameter to get a fresh version:

What it fixes:

  • various Unauthorized errors, for example for the historyview page
  • a NotFound error when submitting a PloneFormGen form, and maybe similar situations

Version 1.2 fixes our Unauthorized issues! Thank you so much!

Thanks to the Security Team for the patch.

Please note that the link on says it's 1.2 but the file that comes down is 1.1

I get when I click the link

However the README.txt has content with the following heading at the top, even though the rest of the content seems correct (the output log is two days old, so maybe not):

Plone hotfix, 2020-01-21
1 Like

It's a caching issue, I'm getting 1.1 when I click the link.
Something as simple as adding a trailing query for cache busting solves it:

Ideally this should be addressed.

1 Like

Yes, please read the above :slight_smile: ^^

Hint: why just don't do it in the link, for example:

or, better, the md5sum:


The content type for a hotfix behaves correctly but we have something in the stack that is over-caching, and we have tried purging unsuccessfully.

Seriously? Gah, I need to brush up on my search-and-replace skills. The project description on PyPI also has the wrong date.

I have fixed it in the code now. If we ever get a 1.3 version, you will see the correct dates. :slight_smile:


Before zest.releaser (thanks for that :beers:) there was a time where I used python <command> to push things to PyPI:

I think that running:

python register

will fix the PyPI page. IIRC I used it to fix pages with a broken rst syntax.

I think you can even test it with:

python register -r

I do not know if that still works, a lot of years have passed :slight_smile:


Version 1.2 might worth to send announcement

We noticed in our setup, that the behavior of the history diff view has changed:

Plone 5.2.1 (without hotfix)

Plone 5.2.1 (with hotfix)

After the hotfix all markup is escaped, whereas the XSS vulnerability description only refers to script tags.
I was wondering if this was so intended? Because this seems to be yet another code-diff view, which might confuse users.

We also made the same observation for Plone 4.x installations.