Skip to content

Commit

Permalink
Apply hotfixes from https://pypi.python.org/pypi/Products.PloneHotfix…
Browse files Browse the repository at this point in the history 
…20150910
  • Loading branch information
@vangheem
vangheem committed Sep 10, 2015
1 parent 859b9a0 commit 9f0111f
Show file tree
Hide file tree
Showing 7 changed files with 65 additions and 3 deletions.
3 changes: 3 additions & 0 deletions Products/CMFPlone/URLTool.py
View file
Expand Up @@ -30,6 +30,9 @@ def isURLInPortal(self, url, context=None):
"""
# sanitize url
url = re.sub('^[\x00-\x20]+', '', url).strip()
if ('<script' in url or '%3Cscript' in url or 'javascript:' in url or
'javascript%3A' in url):
return False

p_url = self()

Expand Down
8 changes: 8 additions & 0 deletions Products/CMFPlone/patches/__init__.py
View file
Expand Up @@ -24,3 +24,11 @@

import sendmail
sendmail.applyPatches()

try:
# kupu may not be installed
import kupu
except ImportError:
pass

import addMember
8 changes: 8 additions & 0 deletions Products/CMFPlone/patches/addMember.py
View file
@@ -0,0 +1,8 @@
try:
from Products.CMFPlone import patches # noqa
except ImportError:
pass

from Products.CMFCore.RegistrationTool import RegistrationTool
if hasattr(RegistrationTool.addMember.im_func, '__doc__'):
del RegistrationTool.addMember.im_func.__doc__
22 changes: 22 additions & 0 deletions Products/CMFPlone/patches/kupu.py
View file
@@ -0,0 +1,22 @@
#####################
# Newly created sites

from AccessControl.Permission import _registeredPermissions
from AccessControl.Permission import ApplicationDefaultPermissions
from AccessControl.Permission import pname
from Products.kupu.plone import permissions


mangled = pname(permissions.ManageLibraries)
if hasattr(ApplicationDefaultPermissions, mangled):
delattr(ApplicationDefaultPermissions, mangled)


if permissions.ManageLibraries in _registeredPermissions:
del _registeredPermissions[permissions.ManageLibraries]


permissions.setDefaultRoles(
permissions.ManageLibraries,
('Manager', 'Site Administrator',)
)
15 changes: 12 additions & 3 deletions Products/CMFPlone/tests/testCSRFProtection.py
View file
Expand Up @@ -63,9 +63,18 @@ def test_PloneTool_renameObjectsByPaths(self):
self.assertTrue(self.portal.get('foo', None))

def test_RegistrationTool_addMember(self):
self.checkAuthenticator(
'/portal_registration/addMember',
'id=john&password=y0d4Wg')
# self.checkAuthenticator(
# '/portal_registration/addMember',
# 'id=john&password=y0d4Wg')
# instead of authenticator, with latest patch, addMember should not
# be published
path = '/portal_registration/addMember'
path = '/' + self.portal.absolute_url(relative=True) + path
query = 'id=john&password=y0d4Wg'
data = StringIO(query)
response = self.publish(path=path, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), 404)

def test_RegistrationTool_editMember(self):
self.checkAuthenticator(
Expand Down
9 changes: 9 additions & 0 deletions Products/CMFPlone/tests/testURLTool.py
View file
Expand Up @@ -96,3 +96,12 @@ def test_isURLInPortalExternal(self):
self.assertFalse(iURLiP('http://external4/other'))
self.assertFalse(iURLiP('http://external5'))
self.assertFalse(iURLiP('http://external11'))

def test_script_tag_url_not_in_portal(self):
self.assertFalse(self.portal.portal_url.isURLInPortal('<script>alert("hi");</script>'))
self.assertFalse(
self.portal.portal_url.isURLInPortal('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))

def test_inline_url_not_in_portal(self):
self.assertFalse(self.portal.portal_url.isURLInPortal('javascript%3Aalert(3)'))
self.assertFalse(self.portal.portal_url.isURLInPortal('javascript:alert(3)'))
3 changes: 3 additions & 0 deletions docs/CHANGES.rst
View file
Expand Up @@ -8,6 +8,9 @@ Changelog
4.3.7 (unreleased)
------------------

- Apply hotfixes from https://pypi.python.org/pypi/Products.PloneHotfix20150910
[vangheem]

- Do not throw a 404 on site root RSS feeds
[vangheem]

Expand Down

0 comments on commit 9f0111f

Please sign in to comment.