[Erp5-dev] PortalTransform-1.4.0 contains Cross-site scripting (XSS) security issue
Jean-Paul Smets
jp at nexedi.com
Tue Feb 10 07:57:31 CET 2009
Hi,
Good news. Could you do the following:
- launch all unit tests on your machine (those which relate to DMS
and Web)
- make sure they all pass
- let the ML know
Regards,
JPS.
Boris Kocherov a écrit :
> PortalTransform-1.4.0 contains XSS issue.
> PortalTransform-1.5.5 does not contain it issue.
> PortalTransform-1.5.5 is available at
> http://plone.org/products/archetypes/releases/1.4.6 .
>
> What do you think about using PortalTransform-1.5.5 instead.
> It depends of MimetypesRegistry-1.5.0 and demands updating erp5_core
> (Paths:portal_transforms/** Tools: mimetypes_registry).
>
> Below you can find my work description which i hope may help you in upgrade.
>
> I created patches for PortalTransform using nexedi's version
> http://svn.erp5.org/erp5/trunk/products/PortalTransforms/.
> They are:
> https://www.raskon.org/hg/debs/zope-erp5dep/file/0c9f3b9ed502/debian/patches/portaltransforms_nexedi_fix_infinite_loop.patch
> https://www.raskon.org/hg/debs/zope-erp5dep/file/0c9f3b9ed502/debian/patches/portaltransforms_nexedi_use_aq_parent.patch
>
> These patches can be successfully applied on PortalTransform-1.5.5.
>
> These patches exclude some nexedi's changes:
> I did not include patch """remove PortalTransforms/configure.zcml that
> is not compatible with Zope-2.8's five""" because i am using Five-1.2.6
> with Zope2.8.
>
> I did not include patches:
> """let the user configure 'initial_header_level' (cf 'rest-header-level'
> directive).""",
> """remove id parameter from log method's arguments.""" ,
> because i think they are already applied in 1.5.5.
>
> I did not include the nexedi's changes which are not described in
> http://svn.erp5.org/erp5/trunk/products/PortalTransforms/HISTORY.txt?view=markup
>
>
> Regards,
> Boris Kocherov
>
>
--
Jean-Paul Smets-Solanes, Nexedi CEO - Tel. +33(0)6 62 05 76 14
ERP5 Enterprise: Free / Open Source ERP for Critical Applications
http://www.erp5.com
ERP5 Express: Hosted Open Source ERP for small companies
http://www.myerp5.com
Nexedi: Consulting and Development of Free / Open Source Software
http://www.nexedi.com
More information about the Erp5-dev
mailing list