Zope 4.6.2 released

dataflake · June 27, 2021, 9:39am

On behalf of Zope developer community I am pleased to announce the release of Zope 4.6.2.

This bugfix release backports the stricter path expression traversal code from Zope 5. For the full list of changes see the change log at Change log — Zope documentation 4.5 documentation

Installation instructions can be found at Installing Zope — Zope documentation 4.5 documentation

NOTE FOR PLONE USERS: Make sure to install the latest version of PloneHotfix20210518 first, which should appear shortly after this Zope release. See 20210518 — Plone: Enterprise Level CMS - Free and OpenSource - Community Driven - Secure. Don't install Zope 4.6.2 into an existing Plone setup without testing. The traversal changes in Zope break some Plone add-ons that relied on the old traversal behavior. PloneHotfix20210518 ensures support for those Plone add-ons.

mauritsvanrees · June 28, 2021, 4:09pm

Version 1.5 of the Plone security hotfix contains a fix.
Note that we could not take over the stricter checks from Zope, because too much existing code relies on this part being less strict. But we fix a known issue.

In Plone 6 we will likely be just as strict as Zope. Hint for add-on writers: try not to use skin folders, but switch to browser views. They cannot be changed through-the-web, so they need less security checks. Browser views are not affected by the changes above.