Vulnerability fix: Products.isurlinportal 1.1.0

The Plone Security Team has had a report about a way around the current isURLInPortal checks. It could be tricked into accepting a url when it has whitespace, especially a newline character. This could lead to XSS (Cross Site Scripting) or an open redirect.

Likely not all browser will accept such urls when clicked, and modern browsers are trying to prevent some XSS themselves, and your server setup may have a firewall or other code in place to prevent these kinds of attacks.
So the team has decided to not make an official hotfix package for this, with pre-announcement.

A fix was tested by the security team, and is now available as Products.isurlinportal 1.1.0 . This is automatically included in Plone 5.2.2 (just released, waiting on Installers before being really official) and a future 4.3 and 5.1 release.

You can add this package to any current Plone site, and it will work just like a normal hotfix. Just add Products.isurlinportal to the list of eggs in your buildout config, make sure that you have pinned version 1.1.0 or that buildout fetches the latest version, and run buildout.
Officially tested on Plone 4.3/5.1/5.2 with Python 2.7, and on 5.2 with Python 3.7.

Thanks to Maxim Rupp who reported the issue to us.

1 Like