Merge pull request #255 from collective/maurits/cmfplone-issue-3209-l…

…xml-2x Field xml editor: do not resolve entitities [2.x]
collective · Nov 17, 2020 · 54ef8dc · 54ef8dc
2 parents cfea609 + 602adbd
commit 54ef8dc
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 5 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -54,7 +54,8 @@ before_script:
   - sleep 3
 script:
 # Run code-analysis, except on Python 3.6, which mysteriously fails to find zc.buildout.
-  - python --version 2> /dev/stdout | grep 3.6 || bin/code-analysis
+# Do not run it on Plone 5.0 either, because there is too often yet another version conflict on install.
+  - python --version 2> /dev/stdout | grep 3.6 || echo $PLONE_VERSION | grep 5.0 || bin/code-analysis
   - bin/test --all $TEST_OPTIONS
 after_success:
   - bin/createcoverage -t '--all $TEST_OPTIONS'

diff --git a/buildout.cfg b/buildout.cfg
@@ -37,3 +37,4 @@ eggs =
 [versions]
 # Don't use a released version of collective.easyforms
 collective.easyforms =
+Pillow = 3.3.3
diff --git a/news/3209.bugfix b/news/3209.bugfix
@@ -0,0 +1,2 @@
+For increased security, in the modeleditor do not resolve entities, and remove processing instructions.
+[maurits]
diff --git a/src/collective/easyform/browser/fields.py b/src/collective/easyform/browser/fields.py
@@ -155,9 +155,13 @@ def __call__(self):
 
         source = self.request.form.get("source")
         if source:
+            # Some safety measures.
+            # We do not want to load entities, especially file:/// entities.
+            # Also discard processing instructions.
+            parser = etree.XMLParser(resolve_entities=False, remove_pis=True)
             # Is it valid XML?
             try:
-                root = etree.fromstring(source)
+                root = etree.fromstring(source, parser=parser)
             except etree.XMLSyntaxError as e:
                 return dumps(
                     {

diff --git a/tests-5.0.x.cfg b/tests-5.0.x.cfg
@@ -5,9 +5,12 @@ extends =
     https://raw.githubusercontent.com/plone/plone.app.robotframework/master/versions.cfg
     base.cfg
 
-parts +=
+parts=
+    instance
     test
-    code-analysis
+# This too often fails because of a version conflict:
+#    code-analysis
+    i18ndude
     createcoverage
 
 package-name = collective.easyform
@@ -17,8 +20,10 @@ test-eggs =
 [versions]
 setuptools =
 zc.buildout =
+check-manifest = 0.41
 coverage = >=3.7
 plone.app.mosaic =
 plone.app.robotframework = 1.5.0
 plone.formwidget.recaptcha = 2.1.0
-pycodestyle = 2.5.0
+pycodestyle = 2.5.0
+flake8 = 3.7.9
diff --git a/tests-5.1.x.cfg b/tests-5.1.x.cfg
@@ -17,6 +17,7 @@ test-eggs =
 [versions]
 setuptools =
 zc.buildout =
+check-manifest = 0.41
 coverage = >=3.7
 plone.app.mosaic =
 plone.app.robotframework = 1.5.0