Skip to content

Commit

Permalink
[fc] Repository: plone.app.event
Browse files Browse the repository at this point in the history 
Branch: refs/heads/3.2.x
Date: 2021-06-16T11:52:03-07:00
Author: Alec Mitchell (alecpm) <alecpm@gmail.com>
Commit: plone/plone.app.event@8df5a20

Fix issue with events portlet rendering when thumbs disabled. Refs #332.

Files changed:
A news/332.bugfix
M plone/app/event/portlets/portlet_events.pt
Repository: plone.app.event

Branch: refs/heads/3.2.x
Date: 2021-06-18T12:33:52+02:00
Author: Jens W. Klein (jensens) <jk@kleinundpartner.at>
Commit: plone/plone.app.event@ba4daed

Merge pull request #333 from plone/332.bugfix

Fix issue with events portlet rendering when thumbs disabled (#332)

Files changed:
A news/332.bugfix
M plone/app/event/portlets/portlet_events.pt
  • Loading branch information
@jensens
jensens committed Jun 18, 2021
1 parent 49043ef commit 4537b97
Showing 1 changed file with 18 additions and 23 deletions.
41 changes: 18 additions & 23 deletions last_commit.txt
View file
@@ -1,39 +1,34 @@
Repository: Products.PortalTransforms
Repository: plone.app.event


Branch: refs/heads/master
Date: 2021-06-17T00:16:07+02:00
Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org>
Commit: https://github.com/plone/Products.PortalTransforms/commit/767ced66da5bdecb261d74c448594cd0f9ec9189
Branch: refs/heads/3.2.x
Date: 2021-06-16T11:52:03-07:00
Author: Alec Mitchell (alecpm) <alecpm@gmail.com>
Commit: https://github.com/plone/plone.app.event/commit/8df5a202ee445e311f026f5c4246e124aa8a29e4

REST transform: ignore warnings and stylesheet keyword arguments.

They can be abused.
From [Products.PloneHotfix20210518](https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script).
Fix issue with events portlet rendering when thumbs disabled. Refs #332.

Files changed:
A news/3274.bugfix
M Products/PortalTransforms/tests/test_transforms.py
M Products/PortalTransforms/transforms/rest.py
A news/332.bugfix
M plone/app/event/portlets/portlet_events.pt

b'diff --git a/Products/PortalTransforms/tests/test_transforms.py b/Products/PortalTransforms/tests/test_transforms.py\nindex f89895e..9093636 100644\n--- a/Products/PortalTransforms/tests/test_transforms.py\n+++ b/Products/PortalTransforms/tests/test_transforms.py\n@@ -33,6 +33,7 @@\n import itertools\n import os\n import six\n+import unittest\n \n \n # we have to set locale because lynx output is locale sensitive !\n@@ -457,6 +458,48 @@ def test_invalid_tags(self):\n self.assertEqual(SafeHTML().scrub_html(data).strip(), \'\')\n \n \n+class RestTransformsTest(unittest.TestCase):\n+\n+ def test_rest_convert(self):\n+ # from PloneHotfix20210518\n+ from Products.PortalTransforms.data import datastream\n+ from Products.PortalTransforms.transforms.rest import rest\n+\n+ # Try to convert ReStructuredText resulting in a warning.\n+ orig = "Hello *world"\n+ data = datastream("foo")\n+ transform = rest()\n+ # With the warnings parameter you could write to the filesystem.\n+ # With the stylesheet parameter you could read from the filesystem.\n+ # https://sourceforge.net/p/docutils/bugs/413/\n+ here = os.path.dirname(__file__)\n+ warnings_file = os.path.join(here, "write.txt")\n+ css_file = os.path.join(here, "read.css")\n+ read_contents = "Arbitrary file read from OS."\n+ with open(css_file, "w") as css:\n+ css.write(read_contents)\n+ bad_keyword_arguments = {\n+ "warnings": warnings_file,\n+ "stylesheet": css_file,\n+ }\n+ try:\n+ result = transform.convert(orig, data, **bad_keyword_arguments)\n+ output = result.getData()\n+ # There should be a warning for the wrong ReStructuredText.\n+ self.assertIn("WARNING", output)\n+ # The contents of the css file should not be in the result.\n+ self.assertNotIn(read_contents, output)\n+ self.assertNotIn(css_file, output)\n+ # No file should have been written to the system.\n+ self.assertFalse(os.path.exists(warnings_file))\n+ finally:\n+ # cleanup\n+ if os.path.exists(warnings_file):\n+ os.remove(warnings_file)\n+ if os.path.exists(css_file):\n+ os.remove(css_file)\n+\n+\n TRANSFORMS_TESTINFO = (\n (\'Products.PortalTransforms.transforms.pdf_to_html\',\n "demo1.pdf", "demo1.html", normalize_html, 0, str,\n@@ -582,6 +625,7 @@ class TransformTestSubclass(TransformTest):\n tests.append(SafeHtmlTransformsWithFormTest)\n tests.append(WordTransformsTest)\n tests.append(ParsersTestCase)\n+ tests.append(RestTransformsTest)\n return tests\n \n \ndiff --git a/Products/PortalTransforms/transforms/rest.py b/Products/PortalTransforms/transforms/rest.py\nindex e1aee8d..322d814 100644\n--- a/Products/PortalTransforms/transforms/rest.py\n+++ b/Products/PortalTransforms/transforms/rest.py\n@@ -3,7 +3,6 @@\n from docutils.core import publish_parts\n from zope.interface import implementer\n \n-\n import six\n \n \n@@ -88,16 +87,20 @@ def convert(self, orig, data, **kwargs):\n input_encoding = kwargs.get(\'input_encoding\', encoding)\n output_encoding = kwargs.get(\'output_encoding\', encoding)\n language = kwargs.get(\'language\', \'en\')\n- warnings = kwargs.get(\'warnings\', None)\n- stylesheet = kwargs.get(\'stylesheet\', None)\n initial_header_level = int(self.config.get(\'initial_header_level\', 2))\n report_level = int(self.config.get(\'report_level\', 2))\n+ # Note: we must NOT use warning_stream and stylesheet, because an attacker can abuse them.\n+ # See https://sourceforge.net/p/docutils/bugs/413/\n+ # Part of PloneHotfix20210518.\n+ # It would be okay if we can be sure this method is called from trusted Python code,\n+ # but we cannot be sure.\n+ # We keep them in the settings, to be sure nothing changes due to this fix.\n settings = {\n \'documentclass\': \'\',\n \'traceback\': 1,\n \'input_encoding\': input_encoding,\n \'output_encoding\': output_encoding,\n- \'stylesheet\': stylesheet,\n+ \'stylesheet\': None,\n \'stylesheet_path\': None,\n \'file_insertion_enabled\': 0,\n \'raw_enabled\': 0,\n@@ -109,7 +112,7 @@ def convert(self, orig, data, **kwargs):\n # don\'t break if we get errors:\n \'halt_level\': 6,\n # remember warnings:\n- \'warning_stream\': warnings,\n+ \'warning_stream\': None\n }\n \n parts = publish_parts(\ndiff --git a/news/3274.bugfix b/news/3274.bugfix\nnew file mode 100644\nindex 0000000..ea4c92b\n--- /dev/null\n+++ b/news/3274.bugfix\n@@ -0,0 +1,4 @@\n+REST transform: ignore warnings and stylesheet keyword arguments.\n+They can be abused.\n+From `Products.PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script>`_.\n+[maurits]\n'
b'diff --git a/news/332.bugfix b/news/332.bugfix\nnew file mode 100644\nindex 00000000..666c2640\n--- /dev/null\n+++ b/news/332.bugfix\n@@ -0,0 +1 @@\n+Fix events portlet error when rendering with thumbnails suppressed [alecpm]\ndiff --git a/plone/app/event/portlets/portlet_events.pt b/plone/app/event/portlets/portlet_events.pt\nindex 2d3ba092..e7f847e8 100644\n--- a/plone/app/event/portlets/portlet_events.pt\n+++ b/plone/app/event/portlets/portlet_events.pt\n@@ -29,7 +29,7 @@\n tal:attributes="href item_url;\n title item_descr"\n tal:define="scale item/context/@@images|nothing;">\n- <span tal:condition="item_hasimage">\n+ <span tal:condition="python:thumb_scale and item_hasimage">\n <img tal:define="img_tag python:scale.scale(\'image\', scale=thumb_scale).tag(css_class=\'pull-right thumb-\'+thumb_scale)"\n tal:replace="structure img_tag" />\n </span>\n'

Repository: Products.PortalTransforms
Repository: plone.app.event


Branch: refs/heads/master
Date: 2021-06-18T12:33:23+02:00
Branch: refs/heads/3.2.x
Date: 2021-06-18T12:33:52+02:00
Author: Jens W. Klein (jensens) <jk@kleinundpartner.at>
Commit: https://github.com/plone/Products.PortalTransforms/commit/a575a00fa69890d60233ed9f34ca3df980861a07
Commit: https://github.com/plone/plone.app.event/commit/ba4daed4c9e3e6d1adc18f5cc0b6b3f5a4e60ee6

Merge pull request #45 from plone/hotfix-20210518
Merge pull request #333 from plone/332.bugfix

REST transform: ignore warnings and stylesheet keyword arguments.
Fix issue with events portlet rendering when thumbs disabled (#332)

Files changed:
A news/3274.bugfix
M Products/PortalTransforms/tests/test_transforms.py
M Products/PortalTransforms/transforms/rest.py
A news/332.bugfix
M plone/app/event/portlets/portlet_events.pt

b'diff --git a/Products/PortalTransforms/tests/test_transforms.py b/Products/PortalTransforms/tests/test_transforms.py\nindex f89895e..9093636 100644\n--- a/Products/PortalTransforms/tests/test_transforms.py\n+++ b/Products/PortalTransforms/tests/test_transforms.py\n@@ -33,6 +33,7 @@\n import itertools\n import os\n import six\n+import unittest\n \n \n # we have to set locale because lynx output is locale sensitive !\n@@ -457,6 +458,48 @@ def test_invalid_tags(self):\n self.assertEqual(SafeHTML().scrub_html(data).strip(), \'\')\n \n \n+class RestTransformsTest(unittest.TestCase):\n+\n+ def test_rest_convert(self):\n+ # from PloneHotfix20210518\n+ from Products.PortalTransforms.data import datastream\n+ from Products.PortalTransforms.transforms.rest import rest\n+\n+ # Try to convert ReStructuredText resulting in a warning.\n+ orig = "Hello *world"\n+ data = datastream("foo")\n+ transform = rest()\n+ # With the warnings parameter you could write to the filesystem.\n+ # With the stylesheet parameter you could read from the filesystem.\n+ # https://sourceforge.net/p/docutils/bugs/413/\n+ here = os.path.dirname(__file__)\n+ warnings_file = os.path.join(here, "write.txt")\n+ css_file = os.path.join(here, "read.css")\n+ read_contents = "Arbitrary file read from OS."\n+ with open(css_file, "w") as css:\n+ css.write(read_contents)\n+ bad_keyword_arguments = {\n+ "warnings": warnings_file,\n+ "stylesheet": css_file,\n+ }\n+ try:\n+ result = transform.convert(orig, data, **bad_keyword_arguments)\n+ output = result.getData()\n+ # There should be a warning for the wrong ReStructuredText.\n+ self.assertIn("WARNING", output)\n+ # The contents of the css file should not be in the result.\n+ self.assertNotIn(read_contents, output)\n+ self.assertNotIn(css_file, output)\n+ # No file should have been written to the system.\n+ self.assertFalse(os.path.exists(warnings_file))\n+ finally:\n+ # cleanup\n+ if os.path.exists(warnings_file):\n+ os.remove(warnings_file)\n+ if os.path.exists(css_file):\n+ os.remove(css_file)\n+\n+\n TRANSFORMS_TESTINFO = (\n (\'Products.PortalTransforms.transforms.pdf_to_html\',\n "demo1.pdf", "demo1.html", normalize_html, 0, str,\n@@ -582,6 +625,7 @@ class TransformTestSubclass(TransformTest):\n tests.append(SafeHtmlTransformsWithFormTest)\n tests.append(WordTransformsTest)\n tests.append(ParsersTestCase)\n+ tests.append(RestTransformsTest)\n return tests\n \n \ndiff --git a/Products/PortalTransforms/transforms/rest.py b/Products/PortalTransforms/transforms/rest.py\nindex e1aee8d..322d814 100644\n--- a/Products/PortalTransforms/transforms/rest.py\n+++ b/Products/PortalTransforms/transforms/rest.py\n@@ -3,7 +3,6 @@\n from docutils.core import publish_parts\n from zope.interface import implementer\n \n-\n import six\n \n \n@@ -88,16 +87,20 @@ def convert(self, orig, data, **kwargs):\n input_encoding = kwargs.get(\'input_encoding\', encoding)\n output_encoding = kwargs.get(\'output_encoding\', encoding)\n language = kwargs.get(\'language\', \'en\')\n- warnings = kwargs.get(\'warnings\', None)\n- stylesheet = kwargs.get(\'stylesheet\', None)\n initial_header_level = int(self.config.get(\'initial_header_level\', 2))\n report_level = int(self.config.get(\'report_level\', 2))\n+ # Note: we must NOT use warning_stream and stylesheet, because an attacker can abuse them.\n+ # See https://sourceforge.net/p/docutils/bugs/413/\n+ # Part of PloneHotfix20210518.\n+ # It would be okay if we can be sure this method is called from trusted Python code,\n+ # but we cannot be sure.\n+ # We keep them in the settings, to be sure nothing changes due to this fix.\n settings = {\n \'documentclass\': \'\',\n \'traceback\': 1,\n \'input_encoding\': input_encoding,\n \'output_encoding\': output_encoding,\n- \'stylesheet\': stylesheet,\n+ \'stylesheet\': None,\n \'stylesheet_path\': None,\n \'file_insertion_enabled\': 0,\n \'raw_enabled\': 0,\n@@ -109,7 +112,7 @@ def convert(self, orig, data, **kwargs):\n # don\'t break if we get errors:\n \'halt_level\': 6,\n # remember warnings:\n- \'warning_stream\': warnings,\n+ \'warning_stream\': None\n }\n \n parts = publish_parts(\ndiff --git a/news/3274.bugfix b/news/3274.bugfix\nnew file mode 100644\nindex 0000000..ea4c92b\n--- /dev/null\n+++ b/news/3274.bugfix\n@@ -0,0 +1,4 @@\n+REST transform: ignore warnings and stylesheet keyword arguments.\n+They can be abused.\n+From `Products.PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script>`_.\n+[maurits]\n'
b'diff --git a/news/332.bugfix b/news/332.bugfix\nnew file mode 100644\nindex 00000000..666c2640\n--- /dev/null\n+++ b/news/332.bugfix\n@@ -0,0 +1 @@\n+Fix events portlet error when rendering with thumbnails suppressed [alecpm]\ndiff --git a/plone/app/event/portlets/portlet_events.pt b/plone/app/event/portlets/portlet_events.pt\nindex 2d3ba092..e7f847e8 100644\n--- a/plone/app/event/portlets/portlet_events.pt\n+++ b/plone/app/event/portlets/portlet_events.pt\n@@ -29,7 +29,7 @@\n tal:attributes="href item_url;\n title item_descr"\n tal:define="scale item/context/@@images|nothing;">\n- <span tal:condition="item_hasimage">\n+ <span tal:condition="python:thumb_scale and item_hasimage">\n <img tal:define="img_tag python:scale.scale(\'image\', scale=thumb_scale).tag(css_class=\'pull-right thumb-\'+thumb_scale)"\n tal:replace="structure img_tag" />\n </span>\n'

0 comments on commit 4537b97

Please sign in to comment.