Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Branch: refs/heads/3.2.x Date: 2021-06-16T11:52:03-07:00 Author: Alec Mitchell (alecpm) <alecpm@gmail.com> Commit: plone/plone.app.event@8df5a20 Fix issue with events portlet rendering when thumbs disabled. Refs #332. Files changed: A news/332.bugfix M plone/app/event/portlets/portlet_events.pt Repository: plone.app.event Branch: refs/heads/3.2.x Date: 2021-06-18T12:33:52+02:00 Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> Commit: plone/plone.app.event@ba4daed Merge pull request #333 from plone/332.bugfix Fix issue with events portlet rendering when thumbs disabled (#332) Files changed: A news/332.bugfix M plone/app/event/portlets/portlet_events.pt
- Loading branch information
Showing
1 changed file
with
18 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,39 +1,34 @@ | ||
Repository: Products.PortalTransforms | ||
Repository: plone.app.event | ||
|
||
|
||
Branch: refs/heads/master | ||
Date: 2021-06-17T00:16:07+02:00 | ||
Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> | ||
Commit: https://github.com/plone/Products.PortalTransforms/commit/767ced66da5bdecb261d74c448594cd0f9ec9189 | ||
Branch: refs/heads/3.2.x | ||
Date: 2021-06-16T11:52:03-07:00 | ||
Author: Alec Mitchell (alecpm) <alecpm@gmail.com> | ||
Commit: https://github.com/plone/plone.app.event/commit/8df5a202ee445e311f026f5c4246e124aa8a29e4 | ||
|
||
REST transform: ignore warnings and stylesheet keyword arguments. | ||
|
||
They can be abused. | ||
From [Products.PloneHotfix20210518](https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script). | ||
Fix issue with events portlet rendering when thumbs disabled. Refs #332. | ||
|
||
Files changed: | ||
A news/3274.bugfix | ||
M Products/PortalTransforms/tests/test_transforms.py | ||
M Products/PortalTransforms/transforms/rest.py | ||
A news/332.bugfix | ||
M plone/app/event/portlets/portlet_events.pt | ||
|
||
b'diff --git a/Products/PortalTransforms/tests/test_transforms.py b/Products/PortalTransforms/tests/test_transforms.py\nindex f89895e..9093636 100644\n--- a/Products/PortalTransforms/tests/test_transforms.py\n+++ b/Products/PortalTransforms/tests/test_transforms.py\n@@ -33,6 +33,7 @@\n import itertools\n import os\n import six\n+import unittest\n \n \n # we have to set locale because lynx output is locale sensitive !\n@@ -457,6 +458,48 @@ def test_invalid_tags(self):\n self.assertEqual(SafeHTML().scrub_html(data).strip(), \'\')\n \n \n+class RestTransformsTest(unittest.TestCase):\n+\n+ def test_rest_convert(self):\n+ # from PloneHotfix20210518\n+ from Products.PortalTransforms.data import datastream\n+ from Products.PortalTransforms.transforms.rest import rest\n+\n+ # Try to convert ReStructuredText resulting in a warning.\n+ orig = "Hello *world"\n+ data = datastream("foo")\n+ transform = rest()\n+ # With the warnings parameter you could write to the filesystem.\n+ # With the stylesheet parameter you could read from the filesystem.\n+ # https://sourceforge.net/p/docutils/bugs/413/\n+ here = os.path.dirname(__file__)\n+ warnings_file = os.path.join(here, "write.txt")\n+ css_file = os.path.join(here, "read.css")\n+ read_contents = "Arbitrary file read from OS."\n+ with open(css_file, "w") as css:\n+ css.write(read_contents)\n+ bad_keyword_arguments = {\n+ "warnings": warnings_file,\n+ "stylesheet": css_file,\n+ }\n+ try:\n+ result = transform.convert(orig, data, **bad_keyword_arguments)\n+ output = result.getData()\n+ # There should be a warning for the wrong ReStructuredText.\n+ self.assertIn("WARNING", output)\n+ # The contents of the css file should not be in the result.\n+ self.assertNotIn(read_contents, output)\n+ self.assertNotIn(css_file, output)\n+ # No file should have been written to the system.\n+ self.assertFalse(os.path.exists(warnings_file))\n+ finally:\n+ # cleanup\n+ if os.path.exists(warnings_file):\n+ os.remove(warnings_file)\n+ if os.path.exists(css_file):\n+ os.remove(css_file)\n+\n+\n TRANSFORMS_TESTINFO = (\n (\'Products.PortalTransforms.transforms.pdf_to_html\',\n "demo1.pdf", "demo1.html", normalize_html, 0, str,\n@@ -582,6 +625,7 @@ class TransformTestSubclass(TransformTest):\n tests.append(SafeHtmlTransformsWithFormTest)\n tests.append(WordTransformsTest)\n tests.append(ParsersTestCase)\n+ tests.append(RestTransformsTest)\n return tests\n \n \ndiff --git a/Products/PortalTransforms/transforms/rest.py b/Products/PortalTransforms/transforms/rest.py\nindex e1aee8d..322d814 100644\n--- a/Products/PortalTransforms/transforms/rest.py\n+++ b/Products/PortalTransforms/transforms/rest.py\n@@ -3,7 +3,6 @@\n from docutils.core import publish_parts\n from zope.interface import implementer\n \n-\n import six\n \n \n@@ -88,16 +87,20 @@ def convert(self, orig, data, **kwargs):\n input_encoding = kwargs.get(\'input_encoding\', encoding)\n output_encoding = kwargs.get(\'output_encoding\', encoding)\n language = kwargs.get(\'language\', \'en\')\n- warnings = kwargs.get(\'warnings\', None)\n- stylesheet = kwargs.get(\'stylesheet\', None)\n initial_header_level = int(self.config.get(\'initial_header_level\', 2))\n report_level = int(self.config.get(\'report_level\', 2))\n+ # Note: we must NOT use warning_stream and stylesheet, because an attacker can abuse them.\n+ # See https://sourceforge.net/p/docutils/bugs/413/\n+ # Part of PloneHotfix20210518.\n+ # It would be okay if we can be sure this method is called from trusted Python code,\n+ # but we cannot be sure.\n+ # We keep them in the settings, to be sure nothing changes due to this fix.\n settings = {\n \'documentclass\': \'\',\n \'traceback\': 1,\n \'input_encoding\': input_encoding,\n \'output_encoding\': output_encoding,\n- \'stylesheet\': stylesheet,\n+ \'stylesheet\': None,\n \'stylesheet_path\': None,\n \'file_insertion_enabled\': 0,\n \'raw_enabled\': 0,\n@@ -109,7 +112,7 @@ def convert(self, orig, data, **kwargs):\n # don\'t break if we get errors:\n \'halt_level\': 6,\n # remember warnings:\n- \'warning_stream\': warnings,\n+ \'warning_stream\': None\n }\n \n parts = publish_parts(\ndiff --git a/news/3274.bugfix b/news/3274.bugfix\nnew file mode 100644\nindex 0000000..ea4c92b\n--- /dev/null\n+++ b/news/3274.bugfix\n@@ -0,0 +1,4 @@\n+REST transform: ignore warnings and stylesheet keyword arguments.\n+They can be abused.\n+From `Products.PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script>`_.\n+[maurits]\n' | ||
b'diff --git a/news/332.bugfix b/news/332.bugfix\nnew file mode 100644\nindex 00000000..666c2640\n--- /dev/null\n+++ b/news/332.bugfix\n@@ -0,0 +1 @@\n+Fix events portlet error when rendering with thumbnails suppressed [alecpm]\ndiff --git a/plone/app/event/portlets/portlet_events.pt b/plone/app/event/portlets/portlet_events.pt\nindex 2d3ba092..e7f847e8 100644\n--- a/plone/app/event/portlets/portlet_events.pt\n+++ b/plone/app/event/portlets/portlet_events.pt\n@@ -29,7 +29,7 @@\n tal:attributes="href item_url;\n title item_descr"\n tal:define="scale item/context/@@images|nothing;">\n- <span tal:condition="item_hasimage">\n+ <span tal:condition="python:thumb_scale and item_hasimage">\n <img tal:define="img_tag python:scale.scale(\'image\', scale=thumb_scale).tag(css_class=\'pull-right thumb-\'+thumb_scale)"\n tal:replace="structure img_tag" />\n </span>\n' | ||
|
||
Repository: Products.PortalTransforms | ||
Repository: plone.app.event | ||
|
||
|
||
Branch: refs/heads/master | ||
Date: 2021-06-18T12:33:23+02:00 | ||
Branch: refs/heads/3.2.x | ||
Date: 2021-06-18T12:33:52+02:00 | ||
Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> | ||
Commit: https://github.com/plone/Products.PortalTransforms/commit/a575a00fa69890d60233ed9f34ca3df980861a07 | ||
Commit: https://github.com/plone/plone.app.event/commit/ba4daed4c9e3e6d1adc18f5cc0b6b3f5a4e60ee6 | ||
|
||
Merge pull request #45 from plone/hotfix-20210518 | ||
Merge pull request #333 from plone/332.bugfix | ||
|
||
REST transform: ignore warnings and stylesheet keyword arguments. | ||
Fix issue with events portlet rendering when thumbs disabled (#332) | ||
|
||
Files changed: | ||
A news/3274.bugfix | ||
M Products/PortalTransforms/tests/test_transforms.py | ||
M Products/PortalTransforms/transforms/rest.py | ||
A news/332.bugfix | ||
M plone/app/event/portlets/portlet_events.pt | ||
|
||
b'diff --git a/Products/PortalTransforms/tests/test_transforms.py b/Products/PortalTransforms/tests/test_transforms.py\nindex f89895e..9093636 100644\n--- a/Products/PortalTransforms/tests/test_transforms.py\n+++ b/Products/PortalTransforms/tests/test_transforms.py\n@@ -33,6 +33,7 @@\n import itertools\n import os\n import six\n+import unittest\n \n \n # we have to set locale because lynx output is locale sensitive !\n@@ -457,6 +458,48 @@ def test_invalid_tags(self):\n self.assertEqual(SafeHTML().scrub_html(data).strip(), \'\')\n \n \n+class RestTransformsTest(unittest.TestCase):\n+\n+ def test_rest_convert(self):\n+ # from PloneHotfix20210518\n+ from Products.PortalTransforms.data import datastream\n+ from Products.PortalTransforms.transforms.rest import rest\n+\n+ # Try to convert ReStructuredText resulting in a warning.\n+ orig = "Hello *world"\n+ data = datastream("foo")\n+ transform = rest()\n+ # With the warnings parameter you could write to the filesystem.\n+ # With the stylesheet parameter you could read from the filesystem.\n+ # https://sourceforge.net/p/docutils/bugs/413/\n+ here = os.path.dirname(__file__)\n+ warnings_file = os.path.join(here, "write.txt")\n+ css_file = os.path.join(here, "read.css")\n+ read_contents = "Arbitrary file read from OS."\n+ with open(css_file, "w") as css:\n+ css.write(read_contents)\n+ bad_keyword_arguments = {\n+ "warnings": warnings_file,\n+ "stylesheet": css_file,\n+ }\n+ try:\n+ result = transform.convert(orig, data, **bad_keyword_arguments)\n+ output = result.getData()\n+ # There should be a warning for the wrong ReStructuredText.\n+ self.assertIn("WARNING", output)\n+ # The contents of the css file should not be in the result.\n+ self.assertNotIn(read_contents, output)\n+ self.assertNotIn(css_file, output)\n+ # No file should have been written to the system.\n+ self.assertFalse(os.path.exists(warnings_file))\n+ finally:\n+ # cleanup\n+ if os.path.exists(warnings_file):\n+ os.remove(warnings_file)\n+ if os.path.exists(css_file):\n+ os.remove(css_file)\n+\n+\n TRANSFORMS_TESTINFO = (\n (\'Products.PortalTransforms.transforms.pdf_to_html\',\n "demo1.pdf", "demo1.html", normalize_html, 0, str,\n@@ -582,6 +625,7 @@ class TransformTestSubclass(TransformTest):\n tests.append(SafeHtmlTransformsWithFormTest)\n tests.append(WordTransformsTest)\n tests.append(ParsersTestCase)\n+ tests.append(RestTransformsTest)\n return tests\n \n \ndiff --git a/Products/PortalTransforms/transforms/rest.py b/Products/PortalTransforms/transforms/rest.py\nindex e1aee8d..322d814 100644\n--- a/Products/PortalTransforms/transforms/rest.py\n+++ b/Products/PortalTransforms/transforms/rest.py\n@@ -3,7 +3,6 @@\n from docutils.core import publish_parts\n from zope.interface import implementer\n \n-\n import six\n \n \n@@ -88,16 +87,20 @@ def convert(self, orig, data, **kwargs):\n input_encoding = kwargs.get(\'input_encoding\', encoding)\n output_encoding = kwargs.get(\'output_encoding\', encoding)\n language = kwargs.get(\'language\', \'en\')\n- warnings = kwargs.get(\'warnings\', None)\n- stylesheet = kwargs.get(\'stylesheet\', None)\n initial_header_level = int(self.config.get(\'initial_header_level\', 2))\n report_level = int(self.config.get(\'report_level\', 2))\n+ # Note: we must NOT use warning_stream and stylesheet, because an attacker can abuse them.\n+ # See https://sourceforge.net/p/docutils/bugs/413/\n+ # Part of PloneHotfix20210518.\n+ # It would be okay if we can be sure this method is called from trusted Python code,\n+ # but we cannot be sure.\n+ # We keep them in the settings, to be sure nothing changes due to this fix.\n settings = {\n \'documentclass\': \'\',\n \'traceback\': 1,\n \'input_encoding\': input_encoding,\n \'output_encoding\': output_encoding,\n- \'stylesheet\': stylesheet,\n+ \'stylesheet\': None,\n \'stylesheet_path\': None,\n \'file_insertion_enabled\': 0,\n \'raw_enabled\': 0,\n@@ -109,7 +112,7 @@ def convert(self, orig, data, **kwargs):\n # don\'t break if we get errors:\n \'halt_level\': 6,\n # remember warnings:\n- \'warning_stream\': warnings,\n+ \'warning_stream\': None\n }\n \n parts = publish_parts(\ndiff --git a/news/3274.bugfix b/news/3274.bugfix\nnew file mode 100644\nindex 0000000..ea4c92b\n--- /dev/null\n+++ b/news/3274.bugfix\n@@ -0,0 +1,4 @@\n+REST transform: ignore warnings and stylesheet keyword arguments.\n+They can be abused.\n+From `Products.PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/writing-arbitrary-files-via-docutils-and-python-script>`_.\n+[maurits]\n' | ||
b'diff --git a/news/332.bugfix b/news/332.bugfix\nnew file mode 100644\nindex 00000000..666c2640\n--- /dev/null\n+++ b/news/332.bugfix\n@@ -0,0 +1 @@\n+Fix events portlet error when rendering with thumbnails suppressed [alecpm]\ndiff --git a/plone/app/event/portlets/portlet_events.pt b/plone/app/event/portlets/portlet_events.pt\nindex 2d3ba092..e7f847e8 100644\n--- a/plone/app/event/portlets/portlet_events.pt\n+++ b/plone/app/event/portlets/portlet_events.pt\n@@ -29,7 +29,7 @@\n tal:attributes="href item_url;\n title item_descr"\n tal:define="scale item/context/@@images|nothing;">\n- <span tal:condition="item_hasimage">\n+ <span tal:condition="python:thumb_scale and item_hasimage">\n <img tal:define="img_tag python:scale.scale(\'image\', scale=thumb_scale).tag(css_class=\'pull-right thumb-\'+thumb_scale)"\n tal:replace="structure img_tag" />\n </span>\n' | ||
|