Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Maurits van Rees
    @mauritsvanrees
    https://plone.org/security/hotfix/20210518
    Watch out for possible problems installing any package when you setuptools or Python is too old. See https://community.plone.org/t/pypi-deprecation-of-support-for-non-sni-clients-breaks-buildout-for-older-plone-versions/13803
    T. Kim Nguyen
    @tkimnguyen
    https://plone.org/security/announcements/security-patch-released-20210518
    Mikel Larreategi
    @erral
    (copying from Slack if someone else sees it in his sites):
    Some old sites of our customers that use Products.Collage as home page are breaking. We are investigating if it's directly related to the patch or something specific to those sites
    Ok, they are Plone 3.3.x sites, out of scope of this patch
    brlec
    @brlec:matrix.org
    [m]
    Has anyone tried this hotfix on Plone 4.2.1 (or know whether it's even applicable?)
    (I realize it's out of support, of course. We're working on upgrading it.)
    brlec
    @brlec:matrix.org
    [m]
    Oh, I see now, "Previous versions, like 4.2, could be affected but have not been tested". Apologies.
    Well, if anyone knows if the RCE applies to 4.2 and/or has tried the hotfix I'd be interested to hear from you. Thanks!
    Mikel Larreategi
    @erral
    We have installed successfuly in 4.2.7
    brlec
    @brlec:matrix.org
    [m]
    Good to know, thank you!
    T. Kim Nguyen
    @tkimnguyen
    @erral has a recipe for doing that without running buildout, FYI
    brlec
    @brlec:matrix.org
    [m]
    i was going to drop the contents of the hotfix into the products directory...is this something else?
    Mikel Larreategi
    @erral
    here is the ansible recipe that drops a tarball in the products directory https://gist.github.com/erral/daf5799de32e52a5eb54807b4842a4bd
    if you need to update several sites at once and you want automation, it's great
    we have to update +70 sites at once
    brlec
    @brlec:matrix.org
    [m]
    Ah, gotcha. thanks!
    Manuel Reinhardt
    @reinhardt
    I'm getting a lot of 404s on an older quaive (ploneintranet) installation. The boboAwareZopeTraverse patch seems a little overzealous to me, blocking things like view/__name__ in page templates. Is that just me or has anyone else seen that?
    Plone version is 5.0.8
    Maurits van Rees
    @mauritsvanrees
    @reinhardt Allowing __name__ might be okay. But I think this only goes wrong in templates that are in a skins directory. Is that the case?
    For example the caching control panel in Plone 5.2 uses view/name but I can view it fine on Py 3.
    @reinhardt Shoot, the @@caching-controlpanel on a Plone 4.3 site now gives a 404... This is the template of a browser view.
    Manuel Reinhardt
    @reinhardt
    Yeah, no, it's browser views that are making trouble for me
    Maurits van Rees
    @mauritsvanrees
    @reinhardt We are preparing a 1.1 version.
    Maurits van Rees
    @mauritsvanrees
    @reinhardt and @/all There is a version 1.1 of the hotfix: https://pypi.org/project/Products.PloneHotfix20210518/1.1/
    New zip is up on plone.org. You may need to add a cache busting parameter to get a fresh version:
    https://plone.org/security/hotfix/20210518/@@download/hotfix?x=1
    Maurits van Rees
    @mauritsvanrees
    @erral For the record, I have a Plone 4.3 site with Products.Collage and it seems to work fine with the hotfix.
    brlec
    @brlec:matrix.org
    [m]
    On our 5.0.7 site (using the 1.1 patch) anyone trying to look at historyview is getting "Insufficient Privileges". in event.log I'm seeing
    2021-05-18T15:14:50 WARNING plone.protect error parsing dom, failure to add csrf token to response for url https://[...]/portals/[...]@@historyview
    Maurits van Rees
    @mauritsvanrees
    @brlec:matrix.org I see the same when I try the hotfix in the Plone core development buildout on 5.1.
    It is caused by the 'expressions' patch. But I don't yet know why. And it really is time for me to sleep. I will try to have a look tomorrow.
    brlec
    @brlec:matrix.org
    [m]
    Thank you, it not a high priority for us or anything. Thanks to you and everyone for the truly excellent work.
    Mikel Larreategi
    @erral
    @mauritsvanrees for the record: the 1.1 version of the patch doesn't break the 3.3.x sites with Collage that broke yesterday with the 1.0 version, so it may be related to the view/name thing
    Manuel Reinhardt
    @reinhardt
    Thank you! Unfortunately I'm seeing Unauthorizeds with 1.1 as well.
    FWIW the site is heavily customized, so we should be able to work around it, but it may be some effort.
    Thanks anyway for the great work and quick response!
    Manuel Reinhardt
    @reinhardt
    Well, what's weird is that the failure happens in line 46 of the expressions module, when the condition is not hit and _orig_traverse is called as a fallback. That seems to suggest that the fallback is borked in some way...
    Manuel Reinhardt
    @reinhardt
    Asko seems to have a lead
    Maik Derstappen
    @MrTango
    I also have trouble with some PloneFormGen forms showing page not found after submit. Deactivating the expression hotfix inside the __init__.py helps for now.
    Mikel Larreategi
    @erral
    @MrTango I have some issues with PloneFormGen forms also
    in my case is a multipage form that doesn't go to the second form
    T. Kim Nguyen
    @tkimnguyen

    There is a version 1.2 of the hotfix: https://pypi.org/project/Products.PloneHotfix20210518/1.2/
    New zip is up on plone.org. You may need to add a cache busting parameter to get a fresh version:
    https://plone.org/security/hotfix/20210518/@@download/hotfix?x=222

    What it fixes:
    various Unauthorized errors, for example for the historyview page
    a NotFound error when submitting a PloneFormGen form, and maybe similar situations

    brlec
    @brlec:matrix.org
    [m]
    Fantastic, thank you. Fixes the historyview issue in our test instance.
    T. Kim Nguyen
    @tkimnguyen
    👍
    Mikel Larreategi
    @erral
    just for the record: we have seen an increase of the server load in a Plone 5.2 site after the installation of the 1.0 version of the security hotfix of last week. The server load has created several restart of the site and some unavailability of the site. We have just updated the patch to the 1.2 version and the server load has gone and the site is back as usual.
    This is the monitoring tool's screenshot of today; https://prnt.sc/13h9foi
    T. Kim Nguyen
    @tkimnguyen
    Thanks Mikel – could you post that to the forum too?
    lisperatu
    @lisperatu
    I have some Folders and Documents and Dexterity fields which are set to some value. I traverse objects and folders in shell script and I'm trying to change the value of that field directly, like obj.some_attr = <some value> or setattr(obj, 'some_attr', <some value>) and call transaction.get().commit(). I guess these attributes are just getter/setter property where setter doesn't do a thing. The value is not changed. How can I change that value (got from Dexterity field) and store the change from the script?
    Everton Zanella Alvarenga
    @everton137

    Hi, folks! Here's Everton (or Tom). I returned to develop for Plone after a couple of years (also working with @ericof) and it's nice to see how Plone improved! Congratulations!

    I'm not sure if here is the best place to ask or in the community forum. I've just set up a Plone 5 in a dev server and everything was fine without SSL. After setting up the certificate, the CSS is not loading and it's saying that images are not secure. I am using the minimal nginx config suggest on the documentation for a Plone on production: https://docs.plone.org/manage/deploying/front-end/nginx.html#minimal-nginx-front-end-configuration-for-plone-on-ubuntu-debian-linux

    Any tip what could it be? Maybe the nginx config?

    Maik Derstappen
    @MrTango
    @everton137 welcome back \o/ generally the forum is better. But what's wrong in your setup is probably, that you still have the http in the rewriting/proxy definition, this needs to be also https instead. So that Plone will render urls with https and not http.
    2 replies
    T. Kim Nguyen
    @tkimnguyen
    https://plone.org/news/security-patch-20210518-version-1-4-released
    Adam Morris
    @brainysmurf
    I am researching cms tools building an SIS (I work for a edtech company) and was wondering if there is anyone else in a similar space using Plone?
    T. Kim Nguyen
    @tkimnguyen
    There was one called something like School Tool based on Zope and several Plone-based LMSs
    Best to ask in the forum https://community.plone.org