Security patch 20210518 version 1.4 released
Version 1.4 of the hotfix to patch various vulnerabilities. This hotfix is recommended for Plone 4.3, 5.0, 5.1 and 5.2.
This is a routine patch. There is no evidence that the issues fixed here are being used against any sites.
Version 1.4 of the hotfix is available from:
- https://plone.org/security/hotfix/20210518 – if you grab the zip from here, please check that the version.txt contains 1.4 and/or that the md5/sha sum matches. You may get an older version from the cache. Try adding ?x=1 to the URL if this happens.
- https://pypi.org/project/Products.PloneHotfix20210518/
This version is a recommended upgrade for all users.
Zope users are advised to upgrade to Zope 4.6.1 or 5.2.1. If this is not possible, you can try this new version of the hotfix.
See the original 20210518 hotfix announcement
From the changelog:
1.4 (2021-06-08)
- Use safe html transform instead of escape for richtext diff. Otherwise the inline diff is not inline anymore.
(Note: I forgot to add this to the changelog on PyPI/plone.org). - With PLONEHOTFIX20210518_NAMEDFILE_USE_DENYLIST=1 in the OS environment, use a denylist for determining which mimetypes can be displayed inline. By default we use an allowlist with the most used image types, plain text, and PDF. The denylist contains svg, javascript, and html, which have known cross site scripting possibilities.
- By popular request, allow showing PDF files inline. Note: browser preference plays a part in what actually happens.
- In untrusted path expressions with modules, check that each module is allowed. In the first version of the hotfix we disallowed modules that were available as a 'private' alias, for example random._itertools. But if random.itertools without underscore would have been available, it was still allowed, even though itertools has not been explicitly allowed. (itertools might be fine to allow, it is just an example.)