r1024 - in /zope-cmfplone/trunk: __init__.py debian/changelog statusmessages.py
kobold at users.alioth.debian.org
kobold at users.alioth.debian.org
Thu Nov 8 13:01:33 UTC 2007
Author: kobold
Date: Thu Nov 8 13:01:32 2007
New Revision: 1024
URL: http://svn.debian.org/wsvn/pkg-zope/?sc=1&rev=1024
Log:
Preparing the new upload.
Added:
zope-cmfplone/trunk/statusmessages.py
Modified:
zope-cmfplone/trunk/__init__.py
zope-cmfplone/trunk/debian/changelog
Modified: zope-cmfplone/trunk/__init__.py
URL: http://svn.debian.org/wsvn/pkg-zope/zope-cmfplone/trunk/__init__.py?rev=1024&op=diff
==============================================================================
--- zope-cmfplone/trunk/__init__.py (original)
+++ zope-cmfplone/trunk/__init__.py Thu Nov 8 13:01:32 2007
@@ -1,3 +1,6 @@
+# CVE-2007-5741 hotfix
+import statusmessages
+
import sys
import os
import Globals
Modified: zope-cmfplone/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-zope/zope-cmfplone/trunk/debian/changelog?rev=1024&op=diff
==============================================================================
--- zope-cmfplone/trunk/debian/changelog (original)
+++ zope-cmfplone/trunk/debian/changelog Thu Nov 8 13:01:32 2007
@@ -1,3 +1,10 @@
+zope-cmfplone (2.5.2-2) unstable; urgency=low
+
+ * statusmessage.py, __init__.py: applied fix for CVE-2007-5741:
+ unsafe data interpreted as pickles. (Closes: #449523)
+
+ -- Fabio Tranchitella <kobold at debian.org> Thu, 08 Nov 2007 14:00:46 +0100
+
zope-cmfplone (2.5.2-1) unstable; urgency=low
* New upstream release.
Added: zope-cmfplone/trunk/statusmessages.py
URL: http://svn.debian.org/wsvn/pkg-zope/zope-cmfplone/trunk/statusmessages.py?rev=1024&op=file
==============================================================================
--- zope-cmfplone/trunk/statusmessages.py (added)
+++ zope-cmfplone/trunk/statusmessages.py Thu Nov 8 13:01:32 2007
@@ -1,0 +1,122 @@
+from base64 import encodestring, decodestring
+import binascii
+import struct
+
+from Products.statusmessages.message import Message
+
+def _encodeCookieValue(text, type, old=None):
+ """Encodes text and type to a list of Messages. If there is already some old
+ existing list, add the new Message at the end but don't add duplicate
+ messages.
+ """
+ results = []
+ message = Message(text, type=type)
+
+ if old is not None:
+ results = _decodeCookieValue(old)
+ if not message in results:
+ results.append(message)
+
+ messages = ''.join([r.encode() for r in results])
+ return encodestring(messages).rstrip()
+
+def _decodeCookieValue(string):
+ """Decode a cookie value to a list of Messages.
+ """
+ results = []
+ # Return nothing if the cookie is marked as deleted
+ if string == 'deleted':
+ return results
+ # Try to decode the cookie value
+ try:
+ value = decodestring(string)
+ while len(value) > 1: # at least 2 bytes of data
+ message, value = decode(value)
+ if message is not None:
+ results.append(message)
+ except (binascii.Error, UnicodeEncodeError):
+ logger.log(logging.ERROR, '%s \n%s',
+ 'Unexpected value in statusmessages cookie',
+ sys.exc_value
+ )
+ return []
+
+ return results
+
+def _utf8(value):
+ if isinstance(value, unicode):
+ return value.encode('utf-8')
+ elif isinstance(value, str):
+ return value
+ return ''
+
+def _unicode(value):
+ return unicode(value, 'utf-8', 'ignore')
+
+def encode(self):
+ """
+ Encode to a cookie friendly format.
+
+ The format consists of a two bytes length header of 11 bits for the
+ message length and 5 bits for the type length followed by two values.
+ """
+ message = _utf8(self.message)[:0x3FF] # we can store 2^11 bytes
+ type = _utf8(self.type)[:0x1F] # we can store 2^5 bytes
+ size = (len(message) << 5) + (len(type) & 31) # pack into 16 bits
+
+ return struct.pack('!H%ds%ds' % (len(message), len(type)),
+ size, message, type)
+
+def decode(value):
+ """Decode messages from a cookie
+
+ We return the decoded message object, and the remainder of the cookie
+ value (it can contain further messages).
+
+ We expect at least 2 bytes (size information).
+ """
+
+ if len(value) > 2:
+ size = struct.unpack('!H', value[:2])[0]
+ msize, tsize = (size >> 5, size & 31)
+ message = Message(_unicode(value[2:msize+2]),
+ _unicode(value[msize+2:msize+tsize+2]))
+ return message, value[msize+tsize+2:]
+ return None, ''
+
+from Products.statusmessages import adapter
+from Products.statusmessages import message
+Message.encode = encode
+message.decode = decode
+adapter._encodeCookieValue = _encodeCookieValue
+adapter._decodeCookieValue = _decodeCookieValue
+
+# Plone 2.5 specific code
+from Products.CMFPlone.utils import getFSVersionTuple
+if getFSVersionTuple()[:2] == (2, 5):
+ HAS_GTS = True
+ try:
+ from Products.PageTemplates.GlobalTranslationService import \
+ getGlobalTranslationService
+ except ImportError:
+ HAS_GTS = False
+
+ if HAS_GTS:
+ original = adapter.StatusMessage.addStatusMessage
+ def addStatusMessage(self, text, type=''):
+ """Add a status message.
+ """
+ gts = getGlobalTranslationService()
+ parents = getattr(self.context, 'PARENTS', None)
+ aq_context = parents is not None and parents[0] or None
+ text = gts.translate(None, text, context=aq_context)
+ original(self, text, type)
+
+ def __eq__(self, other):
+ if not isinstance(other, Message):
+ return False
+ if self.message == other.message and self.type == other.type:
+ return True
+ return False
+
+ Message.__eq__ = __eq__
More information about the pkg-zope-commits
mailing list