[Erp5-dev] PortalTransform-1.4.0 contains Cross-site scripting (XSS) security issue
Boris Kocherov
bkocherov at gmail.com
Mon Feb 9 17:57:56 CET 2009
PortalTransform-1.4.0 contains XSS issue.
PortalTransform-1.5.5 does not contain it issue.
PortalTransform-1.5.5 is available at
http://plone.org/products/archetypes/releases/1.4.6 .
What do you think about using PortalTransform-1.5.5 instead.
It depends of MimetypesRegistry-1.5.0 and demands updating erp5_core
(Paths:portal_transforms/** Tools: mimetypes_registry).
Below you can find my work description which i hope may help you in upgrade.
I created patches for PortalTransform using nexedi's version
http://svn.erp5.org/erp5/trunk/products/PortalTransforms/.
They are:
https://www.raskon.org/hg/debs/zope-erp5dep/file/0c9f3b9ed502/debian/patches/portaltransforms_nexedi_fix_infinite_loop.patch
https://www.raskon.org/hg/debs/zope-erp5dep/file/0c9f3b9ed502/debian/patches/portaltransforms_nexedi_use_aq_parent.patch
These patches can be successfully applied on PortalTransform-1.5.5.
These patches exclude some nexedi's changes:
I did not include patch """remove PortalTransforms/configure.zcml that
is not compatible with Zope-2.8's five""" because i am using Five-1.2.6
with Zope2.8.
I did not include patches:
"""let the user configure 'initial_header_level' (cf 'rest-header-level'
directive).""",
"""remove id parameter from log method's arguments.""" ,
because i think they are already applied in 1.5.5.
I did not include the nexedi's changes which are not described in
http://svn.erp5.org/erp5/trunk/products/PortalTransforms/HISTORY.txt?view=markup
Regards,
Boris Kocherov
--
Crisis had come unexpectedly, just as winter comes unexpectedly to
Russia every year.
More information about the Erp5-dev
mailing list