Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issues in the background #3209

Closed
MisakiKata opened this issue Nov 10, 2020 · 7 comments
Closed

Security issues in the background #3209

MisakiKata opened this issue Nov 10, 2020 · 7 comments
Labels
01 type: bug 11 prio: blocker 21 status: confirmed

Comments

@MisakiKata
Copy link

Hi, I found several security issues in the background, please pay attention to deal with it

address: https://www.misakikata.com/codes/plone/python-en.html
@mauritsvanrees
Copy link
Member

Thanks for the report.
But next time, can you contact the Plone Security Team via [email protected]? See also https://plone.org/security/report
I have just now added a new issue template to make this clearer. You can see this when trying to create a new issue.

I have mailed the issue link to them (I am on the team as well).

Seems you need an account for all the points you raise, and mostly at least the Site Administrator role, at least in default Plone without add-ons. So that is a big hurdle. Still, this does not look good, and we should fix this.

@jensens
Copy link
Member

jensens commented Nov 10, 2020

Thanks for your report!

Some first checks:

@MisakiKata
Copy link
Author

@mauritsvanrees @jensens
Sorry, when I looked up the submission method on the official website, I saw that the report error pointed to GitHub, so I thought I needed to submit it in the issue, and thank you for your feedback and processing.

mauritsvanrees added a commit to plone/plone.app.theming that referenced this issue Nov 16, 2020
@mauritsvanrees
For increased security, fail when trying file protocol access in diaz…
b22ccb1 
…o rules.

Also do not resolve entities, and remove processing instructions.
See plone/Products.CMFPlone#3209
@mauritsvanrees mauritsvanrees mentioned this issue Nov 16, 2020
Merged
mauritsvanrees added a commit to plone/plone.app.dexterity that referenced this issue Nov 16, 2020
@mauritsvanrees
For increased security, in the modeleditor do not resolve entities, a…
b11b514 
…nd remove processing instructions.

See plone/Products.CMFPlone#3209
@mauritsvanrees mauritsvanrees mentioned this issue Nov 16, 2020
Merged
mauritsvanrees added a commit to plone/plone.supermodel that referenced this issue Nov 16, 2020
@mauritsvanrees
For increased security, in the xml parser do not resolve entities, an…
ee8f4bd 
…d remove processing instructions.

See plone/Products.CMFPlone#3209
@mauritsvanrees mauritsvanrees mentioned this issue Nov 16, 2020
Merged
@mauritsvanrees mauritsvanrees mentioned this issue Nov 16, 2020
Merged
mauritsvanrees added a commit to collective/collective.easyform that referenced this issue Nov 16, 2020
@mauritsvanrees
For increased security, in the field xml editor do not resolve entiti…
21b33ad 
…es, and remove processing instructions.

See plone/Products.CMFPlone#3209
@mauritsvanrees mauritsvanrees mentioned this issue Nov 16, 2020
Merged
@mauritsvanrees mauritsvanrees mentioned this issue Nov 16, 2020
Merged
mauritsvanrees added a commit to collective/collective.easyform that referenced this issue Nov 16, 2020
@mauritsvanrees
For increased security, in the field xml editor do not resolve entiti…
8d865a9 
…es, and remove processing instructions.

See plone/Products.CMFPlone#3209
mauritsvanrees added a commit to collective/collective.easyform that referenced this issue Nov 16, 2020
@mauritsvanrees
For increased security, in the field xml editor do not resolve entiti…
261ea80 
…es, and remove processing instructions.

See plone/Products.CMFPlone#3209
mauritsvanrees added a commit to plone/plone.app.event that referenced this issue Nov 16, 2020
@mauritsvanrees
Give validation error in ical importer when a file:// URL is used.
3b13da0 
This could be a line of attack for a hacker.
But the hacker would already need to have Manager rights to see the resulting error, before getting some useful information from this.
See plone/Products.CMFPlone#3209
@mauritsvanrees mauritsvanrees mentioned this issue Nov 16, 2020
Merged
mauritsvanrees added a commit to plone/buildout.coredev that referenced this issue Nov 16, 2020
@mauritsvanrees
Added four checkouts with fixes for issue 3209.
44af44e 
Pull requests are pending.
See plone/Products.CMFPlone#3209
mister-roboto pushed a commit to plone/buildout.coredev that referenced this issue Nov 16, 2020
@mauritsvanrees
[fc] Repository: plone.app.theming
afe3616 
Branch: refs/heads/master
Date: 2020-11-16T11:18:04+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.theming@b22ccb1

For increased security, fail when trying file protocol access in diazo rules.

Also do not resolve entities, and remove processing instructions.
See plone/Products.CMFPlone#3209

Files changed:
A news/3209.bugfix
M src/plone/app/theming/utils.py
Repository: plone.app.theming

Branch: refs/heads/master
Date: 2020-11-16T21:17:18+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.theming@8b23f0d

Merge pull request #193 from plone/maurits/cmfplone-issue-3209-lxml

Fail when trying file protocol access in diazo rules

Files changed:
A news/3209.bugfix
M src/plone/app/theming/utils.py
mister-roboto pushed a commit to plone/buildout.coredev that referenced this issue Nov 16, 2020
@mauritsvanrees
[fc] Repository: plone.app.dexterity
381c62e 
Branch: refs/heads/master
Date: 2020-11-16T11:44:23+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.dexterity@b11b514

For increased security, in the modeleditor do not resolve entities, and remove processing instructions.

See plone/Products.CMFPlone#3209

Files changed:
A news/3209.bugfix
M plone/app/dexterity/browser/modeleditor.py
Repository: plone.app.dexterity

Branch: refs/heads/master
Date: 2020-11-16T21:17:35+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.dexterity@69b9c31

Merge pull request #317 from plone/maurits/cmfplone-issue-3209-lxml

Modeleditor: do not resolve entities, to avoid xml vulnerabilities

Files changed:
A news/3209.bugfix
M plone/app/dexterity/browser/modeleditor.py
mister-roboto pushed a commit to plone/buildout.coredev that referenced this issue Nov 16, 2020
@mauritsvanrees
[fc] Repository: plone.app.dexterity
7235f09 
Branch: refs/heads/master
Date: 2020-11-16T11:44:23+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.dexterity@b11b514

For increased security, in the modeleditor do not resolve entities, and remove processing instructions.

See plone/Products.CMFPlone#3209

Files changed:
A news/3209.bugfix
M plone/app/dexterity/browser/modeleditor.py
Repository: plone.app.dexterity

Branch: refs/heads/master
Date: 2020-11-16T21:17:35+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.dexterity@69b9c31

Merge pull request #317 from plone/maurits/cmfplone-issue-3209-lxml

Modeleditor: do not resolve entities, to avoid xml vulnerabilities

Files changed:
A news/3209.bugfix
M plone/app/dexterity/browser/modeleditor.py
mister-roboto pushed a commit to plone/buildout.coredev that referenced this issue Nov 16, 2020
@mauritsvanrees
[fc] Repository: plone.supermodel
3a536db 
Branch: refs/heads/master
Date: 2020-11-16T11:51:50+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.supermodel@ee8f4bd

For increased security, in the xml parser do not resolve entities, and remove processing instructions.

See plone/Products.CMFPlone#3209

Files changed:
A news/3209.bugfix
M plone/supermodel/parser.py
Repository: plone.supermodel

Branch: refs/heads/master
Date: 2020-11-16T21:17:51+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.supermodel@e7a0469

Merge pull request #40 from plone/maurits/cmfplone-issue-3209-lxml

In the xml parser do not resolve entities, and remove processing instructions.

Files changed:
A news/3209.bugfix
M plone/supermodel/parser.py
mister-roboto pushed a commit to plone/buildout.coredev that referenced this issue Nov 16, 2020
@mauritsvanrees
[fc] Repository: plone.app.event
0280328 
Branch: refs/heads/master
Date: 2020-11-16T16:57:28+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.event@3b13da0

Give validation error in ical importer when a file:// URL is used.

This could be a line of attack for a hacker.
But the hacker would already need to have Manager rights to see the resulting error, before getting some useful information from this.
See plone/Products.CMFPlone#3209

Files changed:
A news/3209.bugfix
M plone/app/event/ical/importer.py
Repository: plone.app.event

Branch: refs/heads/master
Date: 2020-11-16T21:18:04+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.event@9240012

Merge pull request #322 from plone/maurits/cmfplone-issue-3209-event

Give validation error in ical importer when a file:// URL is used.

Files changed:
A news/3209.bugfix
M plone/app/event/ical/importer.py
mister-roboto pushed a commit to plone/buildout.coredev that referenced this issue Nov 16, 2020
@mauritsvanrees
[fc] Repository: plone.app.event
d093dc6 
Branch: refs/heads/master
Date: 2020-11-16T16:57:28+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.event@3b13da0

Give validation error in ical importer when a file:// URL is used.

This could be a line of attack for a hacker.
But the hacker would already need to have Manager rights to see the resulting error, before getting some useful information from this.
See plone/Products.CMFPlone#3209

Files changed:
A news/3209.bugfix
M plone/app/event/ical/importer.py
Repository: plone.app.event

Branch: refs/heads/master
Date: 2020-11-16T21:18:04+01:00
Author: Maurits van Rees (mauritsvanrees) <[email protected]>
Commit: plone/plone.app.event@9240012

Merge pull request #322 from plone/maurits/cmfplone-issue-3209-event

Give validation error in ical importer when a file:// URL is used.

Files changed:
A news/3209.bugfix
M plone/app/event/ical/importer.py
@mauritsvanrees
Copy link
Member

I think I have fixed all affected packages. PRs are linked above. I have made releases of all of them:

  • plone.app.event 3.2.10
  • plone.app.theming 4.1.6
  • plone.app.dexterity 2.6.8
  • plone.supermodel 1.6.3

These will be in Plone 5.2.3, which has been "soft released".
@MisakiKata I have mentioned you in the release notes.

At least one add-on is also affected, and it may have more impact there, because you don't need the Manager role to be able to use this. I have made releases of that as well: collective.easyform 1.0a4, 2.2.1, 3.0.5.

Thanks again for reporting this! We appreciate this.

@tkimnguyen
Copy link
Member

tkimnguyen commented Nov 18, 2020
edited
Loading

@mauritsvanrees @jensens
Sorry, when I looked up the submission method on the official website, I saw that the report error pointed to GitHub, so I thought I needed to submit it in the issue, and thank you for your feedback and processing.

Hi @MisakiKata – thank you for reporting this issue! I am interested in improving our website and links. Can you tell me where you saw the submission method on our official website? On the plone.org's footer it says "Report bugs in Plone", which links to https://plone.org/support/bugs, on which the first paragraph has instructions on how to report security issues, i.e. using the [email protected] email address.

image

@MisakiKata
Copy link
Author

image
@tkimnguyen

@tkimnguyen
Copy link
Member

Fixed! that link now points to https://plone.org/support/bugs. Thanks again @MisakiKata !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
01 type: bug 11 prio: blocker 21 status: confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jensens @mauritsvanrees @tkimnguyen @MisakiKata