From c062a4913f8d1f0cf82a4f098de644e3a4036e62 Mon Sep 17 00:00:00 2001 From: gforcada Date: Tue, 30 Aug 2016 20:53:29 +0200 Subject: [PATCH] [fc] Repository: plone.app.collection Branch: refs/heads/master Date: 2016-08-30T18:32:46+03:00 Author: ichim-david (ichim-david) Commit: https://github.com/plone/plone.app.collection/commit/f9c201957a1edc7349e346574bb485594c747196 - Check with getattr if item isPrincipiaFolderish as Comment does Files changed: M CHANGES.rst M plone/app/collection/collection.py Repository: plone.app.collection Branch: refs/heads/master Date: 2016-08-30T20:53:29+02:00 Author: Gil Forcada Codinachs (gforcada) Commit: https://github.com/plone/plone.app.collection/commit/ea6290bc2f9d32e92946051595a6d6e145c3e4a2 Merge pull request #36 from ichim-david/master Check with getattr if item isPrincipiaFolderish as Comment does Files changed: M CHANGES.rst M plone/app/collection/collection.py --- last_commit.txt | 168 ++++++++++++++++-------------------------------- 1 file changed, 54 insertions(+), 114 deletions(-) diff --git a/last_commit.txt b/last_commit.txt index c97b8d888f..287e749ee5 100644 --- a/last_commit.txt +++ b/last_commit.txt @@ -1,150 +1,90 @@ -Repository: plone.resource +Repository: plone.app.collection Branch: refs/heads/master -Date: 2016-08-30T19:23:57+02:00 -Author: Maurits van Rees (mauritsvanrees) -Commit: https://github.com/plone/plone.resource/commit/8fe167fa6400d4d01072b82d70cc5a77560f8cb8 +Date: 2016-08-30T18:32:46+03:00 +Author: ichim-david (ichim-david) +Commit: https://github.com/plone/plone.app.collection/commit/f9c201957a1edc7349e346574bb485594c747196 -Applied 20160830 security hotfix. +- Check with getattr if item isPrincipiaFolderish as Comment does Files changed: M CHANGES.rst -M plone/resource/directory.py -M plone/resource/tests/test_traversal.py +M plone/app/collection/collection.py diff --git a/CHANGES.rst b/CHANGES.rst -index 2d43f09..6d9bf29 100644 +index e4d00a5..8b0554f 100644 --- a/CHANGES.rst +++ b/CHANGES.rst -@@ -14,7 +14,7 @@ New features: +@@ -14,7 +14,9 @@ New features: Bug fixes: -- *add item here* -+- Applied 20160830 security hotfix. [maurits] - - - 1.0.6 (2016-08-10) -diff --git a/plone/resource/directory.py b/plone/resource/directory.py -index dbe4cad..5b9cf37 100644 ---- a/plone/resource/directory.py -+++ b/plone/resource/directory.py -@@ -8,6 +8,7 @@ - from Products.BTreeFolder2.BTreeFolder2 import BTreeFolder2 - from Products.CMFCore.utils import getToolByName - from StringIO import StringIO -+from zExceptions import Forbidden - from zExceptions import NotFound - from zope.interface import implementer - from zope.site.hooks import getSite -@@ -211,7 +212,9 @@ def __repr__(self): - - def _resolveSubpath(self, path): - parts = path.split('/') -- filepath = os.path.join(self.directory, *parts) -+ filepath = os.path.abspath(os.path.join(self.directory, *parts)) -+ if not filepath.startswith(self.directory): -+ raise Forbidden('Invalid path resource') - return filepath - - def publishTraverse(self, request, name): -diff --git a/plone/resource/tests/test_traversal.py b/plone/resource/tests/test_traversal.py -index 2157b66..bd63948 100644 ---- a/plone/resource/tests/test_traversal.py -+++ b/plone/resource/tests/test_traversal.py -@@ -11,6 +11,7 @@ - from plone.resource.directory import PersistentResourceDirectory - from plone.resource.directory import FilesystemResourceDirectory - from plone.resource.file import FilesystemFile -+from zExceptions import Forbidden - - base_path = os.path.dirname(__file__) - test_dir_path = os.path.join(base_path, 'resources') -@@ -91,3 +92,8 @@ def test_publish_unique_resource(self): - - browser.open(self.app.absolute_url() + '/++demo++foo/++unique++bar/test.html') - self.assertEqual('asdf', browser.contents) -+ -+ def test_forbidden_resource_path_traversal(self): -+ resource_directory = FilesystemResourceDirectory(test_dir_path) -+ self.assertRaises(Forbidden, resource_directory._resolveSubpath, -+ '../../../../setup.py') ++- Check with getattr if item isPrincipiaFolderish as Comment does ++ not have this attribute which would render an AttributeError ++ [ichim-david] + + + 1.2.1 (2016-08-15) +diff --git a/plone/app/collection/collection.py b/plone/app/collection/collection.py +index 15ad3c2..3d6a1fc 100644 +--- a/plone/app/collection/collection.py ++++ b/plone/app/collection/collection.py +@@ -170,7 +170,7 @@ def getFoldersAndImages(self): + + for item in results: + item_path = item.getPath() +- if item.isPrincipiaFolderish: ++ if getattr(item, 'isPrincipiaFolderish', []): + query = { + 'portal_type': image_types, + 'path': item_path, -Repository: plone.resource +Repository: plone.app.collection Branch: refs/heads/master -Date: 2016-08-30T20:49:52+02:00 +Date: 2016-08-30T20:53:29+02:00 Author: Gil Forcada Codinachs (gforcada) -Commit: https://github.com/plone/plone.resource/commit/198f0423c082ee10ea4029f622327853420ff9c4 +Commit: https://github.com/plone/plone.app.collection/commit/ea6290bc2f9d32e92946051595a6d6e145c3e4a2 -Merge pull request #14 from plone/apply-hotfix-20168030 +Merge pull request #36 from ichim-david/master -Applied 20160830 security hotfix. +Check with getattr if item isPrincipiaFolderish as Comment does Files changed: M CHANGES.rst -M plone/resource/directory.py -M plone/resource/tests/test_traversal.py +M plone/app/collection/collection.py diff --git a/CHANGES.rst b/CHANGES.rst -index 2d43f09..6d9bf29 100644 +index e4d00a5..8b0554f 100644 --- a/CHANGES.rst +++ b/CHANGES.rst -@@ -14,7 +14,7 @@ New features: +@@ -14,7 +14,9 @@ New features: Bug fixes: -- *add item here* -+- Applied 20160830 security hotfix. [maurits] - - - 1.0.6 (2016-08-10) -diff --git a/plone/resource/directory.py b/plone/resource/directory.py -index dbe4cad..5b9cf37 100644 ---- a/plone/resource/directory.py -+++ b/plone/resource/directory.py -@@ -8,6 +8,7 @@ - from Products.BTreeFolder2.BTreeFolder2 import BTreeFolder2 - from Products.CMFCore.utils import getToolByName - from StringIO import StringIO -+from zExceptions import Forbidden - from zExceptions import NotFound - from zope.interface import implementer - from zope.site.hooks import getSite -@@ -211,7 +212,9 @@ def __repr__(self): - - def _resolveSubpath(self, path): - parts = path.split('/') -- filepath = os.path.join(self.directory, *parts) -+ filepath = os.path.abspath(os.path.join(self.directory, *parts)) -+ if not filepath.startswith(self.directory): -+ raise Forbidden('Invalid path resource') - return filepath - - def publishTraverse(self, request, name): -diff --git a/plone/resource/tests/test_traversal.py b/plone/resource/tests/test_traversal.py -index 2157b66..bd63948 100644 ---- a/plone/resource/tests/test_traversal.py -+++ b/plone/resource/tests/test_traversal.py -@@ -11,6 +11,7 @@ - from plone.resource.directory import PersistentResourceDirectory - from plone.resource.directory import FilesystemResourceDirectory - from plone.resource.file import FilesystemFile -+from zExceptions import Forbidden - - base_path = os.path.dirname(__file__) - test_dir_path = os.path.join(base_path, 'resources') -@@ -91,3 +92,8 @@ def test_publish_unique_resource(self): - - browser.open(self.app.absolute_url() + '/++demo++foo/++unique++bar/test.html') - self.assertEqual('asdf', browser.contents) -+ -+ def test_forbidden_resource_path_traversal(self): -+ resource_directory = FilesystemResourceDirectory(test_dir_path) -+ self.assertRaises(Forbidden, resource_directory._resolveSubpath, -+ '../../../../setup.py') ++- Check with getattr if item isPrincipiaFolderish as Comment does ++ not have this attribute which would render an AttributeError ++ [ichim-david] + + + 1.2.1 (2016-08-15) +diff --git a/plone/app/collection/collection.py b/plone/app/collection/collection.py +index 15ad3c2..3d6a1fc 100644 +--- a/plone/app/collection/collection.py ++++ b/plone/app/collection/collection.py +@@ -170,7 +170,7 @@ def getFoldersAndImages(self): + + for item in results: + item_path = item.getPath() +- if item.isPrincipiaFolderish: ++ if getattr(item, 'isPrincipiaFolderish', []): + query = { + 'portal_type': image_types, + 'path': item_path,