20160830

Fixes various XSS and open redirection vulnerabilities

Available downloads

PloneHotfix20160830-1.3.zip

MD5: 1e03bfec55ea9d982510fe90f3e6e08b
SHA1: e3832ff6941477f2dc1d4bd2e1d42985619ef2d9
For all platforms (15408 bytes)

Plone affected versions

  • 5.1a1
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2
  • 4.1.6
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1
  • 4.0.10
  • 4.0.9
  • 4.0.8
  • 4.0.7
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0
  • 3.3.6
  • 3.3.5
  • 3.3.4
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.3

Release Notes

CVE numbers not yet issued.

Versions Affected: All supported Plone versions (4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version). Previous versions could be affected but have not been fully tested.

Versions Not Affected: None.

Nature of vulnerability: the patch will address several cross site scripting (XSS) vulnerability issues.

Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.0.10, 4.1.6, 4.2.7, 4.3.11 and 5.0.6. However it has also received some testing on older versions of Plone.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.12, 5.0.7 and greater should not require this hotfix.

Installation instructions

The procedure for installing Hotfix 20160830 differs slightly based on which version of Plone or Zope you are running, and whether you installed Plone or Zope using buildout.

Backup First!

It is prudent to backup all your data and installation files before installing any Plone add-on, including this hotfix.  If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Recommended Install Procedure

If you're less experienced with Plone, the easiest way to install Hotfix 20160830 on Plone 4.0 - Plone 5.x is as follows:

1) Download the hotfix archive using the link above.  If you have an md5 tool available (Linux or Mac) check the signature matches

2) Place the downloaded zip file into the "products" directory in your Zope instance. On pre-buildout installations, this will be "Products".

3) Unpack the zip file.

On Linux or Mac, the command is:

 $ unzip PloneHotfix20160830-1.0.zip

On Windows, use your favorite archiving product.  (7Zip is a good choice.)

4)  Restart your Zope instance in foreground mode to ensure that the hotfix is installed.

On Mac or Linux, the command is typically:

 $ bin/instance fg

On Windows, the command is typically:

> bin\instance.exe fg

Zope will start in the foreground, and you should see the message "INFO PloneHotfix20160830 Hotfix installed. " during startup.

5) Stop the foreground instance of Zope by hitting CTRL-C

6) Restart your Zope instance.

On Mac or Linux, the command is typically:

$ bin/instance start

On Windows, the command is typically:

> bin\instance.exe start

Installing with Buildout

If you are an experienced Plone administrator, and you are using a buildout-based installation of Plone, you may choose to install Hotfix 20160830 with buildout. However, if you choose to do this, you must be certain that you will not accidentally overwrite Plone components with newer versions.  This is particularly likely if you try to use buildout with older versions of Plone.

If you are not sure what you're doing, please use the "Recommended Installation Instructions" above.

1) Find your buildout.cfg file, typically located in the "zinstance" subdirectory of your Plone installation directory. 


2) Open your buildout.cfg file in your favorite text editor. 


3) Scroll down to the "eggs" section of the buildout and add Products.PloneHotfix20160830, e.g.

[buildout]
...
eggs = 
    Products.PloneHotfix20160830

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.

Installation continued

On startup, the hotfix will log a number of messages to the Zope event log. You can use this to confirm the patch is successfully installed. They look like this:

 2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied resource patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied confirm patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied z3c_form patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied in_portal patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied plonerootlogin patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirects patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirect_folderfactories patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirect_qi patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied redirectto patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied discussion patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied user patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Applied zmi patch
2016-08-30 08:46:09 INFO Products.PloneHotfix20160830 Hotfix installed

Applied patches

Not all patches need to be applied in all Plone versions.

If you are using versions of plone.protect prior to 3, the "confirm" patch is not necessary and will not successfully apply. This is true for any Plone 4 site that does not have plone4.csrffixes installed.

On default installs of Plone 4.x, the "user" patch will not successfully apply and does not need to be patched. The patch is only applied when a version of plone.app.users greater than 2 is installed.

On default installs of Plone 4.1.x or lower, the "resource" patch will not successfully apply and does not need to be patched. The patch is only applied when plone.resource is installed.

On default installs of Plone 4.0.x or lower, the "discussion" patch will not successfully apply and does not need to be patched. The patch is only applied when plone.app.discussion is installed.

On default installs of Plone 3 or lower, the "plonerootlogin" patch will not successfully apply and does not need to be patched. The patch is only applied on Plone 4 and higher.

On default installs of Plone 3 or lower, the "z3c_form" patch will not successfully apply and does not need to be patched. The patch is only applied when z3c.form is installed.

Redirection to external sites

For any controller page template or script that uses the redirect_to action, the url is now checked. If the url is not in the current portal and the domain is not in the allow_external_login_sites property, then Plone refuses to redirect to this, and instead redirects to the current page.

One example where this might affect you, is if you use an external site to login (for example openid, Facebook, Google), or when the Plone Site itself is setup as openid provider for other sites. In this or similar cases, you need to update the "allow_external_login_sites" property.

  • On Plone 5 this can done in the Configuration Registry: /portal_registry/edit/plone.allow_external_login_sites
  • On Plone 4 and lower this can only be done in the Zope Management interface: portal_properties/site_properties/manage_propertiesForm.

If you have own controller page templates or scripts and want to allow redirection to external sites without editing this property, you can edit the ".metadata" file of this template or script and change redirect_to into external_redirect_to. This allows both internal and external redirects. This action has been added in this hotfix, and will be added to future versions of Products.CMFFormController.

z3c.form and prefilling data

With this hotfix, we only use data from the request when the request method matches the form method. By default all forms are meant for POST requests, and in those we no longer allow prefilling data from a GET request. The same is true the other way around, we don't fill in data from POST requests in forms that expect a GET request, but that likely does not happen often.

If you have a form where this protection is not wanted, you can add an attribute allow_prefill_from_GET_request on the form and set it to a True value. If you want, you can import this attribute name from Products.PloneHotfix20160830.z3c_form.ALLOW_PREFILL. This attribute will likely be ported to the z3c.form package.

The attribute was introduced in version 1.3 of the hotfix.

Issues fixed