[Erp5-dev] PortalTransform-1.4.0 contains Cross-site scripting (XSS) security issue

Jean-Paul Smets jp at nexedi.com
Tue Feb 10 07:57:31 CET 2009 

Hi,

Good news. Could you do the following:
    - launch all unit tests on your machine (those which relate to DMS 
and Web)
    - make sure they all pass
    - let the ML know

Regards,

JPS.

Boris Kocherov a écrit :
> PortalTransform-1.4.0 contains XSS issue.
> PortalTransform-1.5.5 does not contain it issue.
> PortalTransform-1.5.5 is available at 
> http://plone.org/products/archetypes/releases/1.4.6 .
>
> What do you think about using PortalTransform-1.5.5 instead.
> It depends of MimetypesRegistry-1.5.0 and demands updating erp5_core 
> (Paths:portal_transforms/** Tools: mimetypes_registry).
>
> Below you can find my work description which i hope may help you in upgrade.
>
> I created patches for PortalTransform using nexedi's version 
> http://svn.erp5.org/erp5/trunk/products/PortalTransforms/.
> They are:
> https://www.raskon.org/hg/debs/zope-erp5dep/file/0c9f3b9ed502/debian/patches/portaltransforms_nexedi_fix_infinite_loop.patch
> https://www.raskon.org/hg/debs/zope-erp5dep/file/0c9f3b9ed502/debian/patches/portaltransforms_nexedi_use_aq_parent.patch
>
> These patches can be successfully applied on PortalTransform-1.5.5.
>
> These patches exclude some nexedi's changes:
> I did not include patch """remove PortalTransforms/configure.zcml that 
> is not compatible with Zope-2.8's five""" because i am using Five-1.2.6 
> with Zope2.8.
>
> I did not include patches:
> """let the user configure 'initial_header_level' (cf 'rest-header-level' 
> directive).""",
> """remove id parameter from log method's arguments.""" ,
> because i think they are already applied in 1.5.5.
>
> I did not include the nexedi's changes which are not described in 
> http://svn.erp5.org/erp5/trunk/products/PortalTransforms/HISTORY.txt?view=markup 
>
>
> Regards,
>   Boris Kocherov
>
>   


-- 
Jean-Paul Smets-Solanes, Nexedi CEO - Tel. +33(0)6 62 05 76 14
ERP5 Enterprise: Free / Open Source ERP for Critical Applications
http://www.erp5.com
ERP5 Express: Hosted Open Source ERP for small companies
http://www.myerp5.com
Nexedi: Consulting and Development of Free / Open Source Software 
http://www.nexedi.com

More information about the Erp5-dev mailing list