Plone 5.2.5

There may be hotfixes applicable to this release. Always check the Plone Hotfix page before production deployment.

Release notes

Date released2021-08-06
Release managerEric Steele

Plone 5.2.5 is a bug fix release of Plone 5.2. Release Manager for this version is Maurits van Rees (despite the automated text above).

Installers are not ready yet, so not all buttons below will work. Experienced users can update their buildout config by pointing to

Linux/BSD/Unix users: Use the Unified Installer. It is a configuration and setup kit with build scripts.

Windows 10 users: use the Unified Installer. See Windows-specific installation instructions. Consider using the unified installer within the Windows Subsystem for Linux (WSL).

OS X users: use the Vagrant kit or install XCode command-line tools and use the Unified Installer.

Automated provisioning: See Plone's Ansible Playbook for a full-stack installation kit.

Cross-platform Docker: install Docker and use the Plone Docker image.

For the Plone 5.2 upgrade guide, see

Specific release notes for Plone 5.2.5:

Some highlights of this release are:

  • Security fixes in AccessControl and Products.isurlinportal.
  • Security fixes from Products.PloneHotfix20210518 taken over in core.
  • Zope: 4.5.5 to 4.6.3
  • Products.CMFPlone: Add PLONE52MARKER Python marker.
  • Add proper support for Dexterity folderish content.
  • plone.folder: restore webdav support.
  • plone.registry: Allow plone.schema.JSONField to be stored in registry (dictionary-like).
  • plone.namedfile: Cache stable image scales strongly.
  • plone.recipe.zope2instance: customize WSGI, profiling, python-env.
  • plone.restapi: JSONField, sub blocks, use_site_search_settings.
  • Lots of bugfixes, especially improving Python 3 compatibility.



Zope: 4.5.5 → 4.6.3

plone.recipe.zope2instance: 6.8.3 → 6.10.0

New features:

  • Allow to customize the WSGI pipeline [ale-rt, jensens] (#116)
  • Add repoze.profile profiling middleware support [jensens] (#129)
  • Make any ctl script python-env aware [sneridagh] (#162)
  • Added support for Python 3.9 and restored support for Python 3.5 (needed for Zope 4) [dataflake] (#164)

Bug fixes:

  • Enable both weekly and manual builds for GitHub Actions [jugmac00] (#169)
  • Fix unsupported syntax in the requirements files which prevented to evaluate the specified constraints during test runs [jugmac00]. (#171)
  • Applied code style black and isort with Plone/black rules, includes tox/GH-Actions [jensens] (#175)
  • Fixed $PYTHONSTARTUP file support for the debug command under Python 3 [dataflake] (#167)

i18ndude: 5.3.4 → 5.4.0

New features:

  • i18ndude rebuild-pot --exclude="name1 name2" now also accepts directory names for exclusion. Excluding a directory name will exclude all files in and below the given directory, but only if the directory name exactly matches a exclusion name (no globs, no substring match). This change now also results in the hardcoded exclusions for 'tests' and 'docs' to actually work. (#86)

Bug fixes:

  • Test with GitHub Actions instead of Travis CI. [maurits] (#83)
  • Support Python 3.9. No code changes were needed. [maurits] (#83)
  • Do not raise AttributeError when content is None. (#84)

Products.ExternalMethod: 4.4 → 4.5

  • update configuration for version 5 of isort
  • add support for Python 3.9

Products.PythonScripts: 4.12 → 4.13

  • make sure "Manager" users can always modify proxy roles (#50)
  • add support for Python 3.9
  • update configuration for version 5 of isort

diazo: 1.4.0 → 1.4.1

Bug fixes:

  • Fix problems with tox4 and simplify tox and test setup. [loechel] (#80)

mockup: 3.2.5 → 3.2.6

Bug fixes:

  • Remove fonts from patterns to avoid multiple inline includes. [agitator] (#1042)

Plone: 5.2.4 → 5.2.5

Bug fixes:

  • Release Plone 5.2.5 final [maurits]

plone.api: 1.10.4 → 1.11.0

New features:

  • Drop support for Plone 4.3, 5.0, 5.1, add support for 6.0. The code might still work, but it is no longer tested. You can use releases in the 1.10 series on the older versions. [maurits] (#431)

Bug fixes:

  • Add tests to verify that the intids utility is correct after moving content. [ale-rt, maurits] (#430)
  • Improve tox.ini so that plone.api could be tested locally. Add all tests to travis-ci config. Add .editorconfig file to plone.api to help enforce coding conventions [loechel] (#448)
  • Fix plone.api.content.find to respect object_provides "not" queries. Fixes: #451 [thet] (#452) 3.8.7 → 3.8.8

Bug fixes:

  • Allow to use the @@getSource view when we are in an add form and we do not have the "Modify portal content" permission (#221)
  • Call fileUpload view explict with @@ to avoid possible clashes. [jensens] (#225)
  • Fixed stored XSS in folder contents. From the PloneHotfix20210518 contents fix. [maurits] (#3274)
  • Fixed stored XSS from user fullname and possibly other places where getVocabulary is called. This is an alternative to the workaround from the PloneHotfix20210518 fullname fix. [maurits] (#3274) 2.3.2 → 2.3.3

Bug fixes:

  • Updated README.rst. [ksuess, jensens] (#1) 3.2.10 → 3.2.12

Bug fixes:

  • Do not allow file: protocol in ical url. Previously, only file:// was disallowed, but this left room for relative paths. Taken over from PloneHotfix20210518. [maurits] (#3274)
  • Fix #330 traversal problem in the portlet_events template when an object in a folder is called "image" (backport from master) [sneridagh] (#330)
  • Fix events portlet error when rendering with thumbnails suppressed [alecpm] (#332) 3.3.15 → 4.0.1

New features:

  • Add proper support for DX folderish content [sneridagh] (#92)

Bug fixes:

  • Fix checkin/checkout process for containers, since there was an annotation left to "reset" (pos) on checkout and it broke the sections viewlet [sneridagh] (#93)
  • Do not break if some custom code provides an alias for Products.Archetypes (#85)
  • Black and pep8 compliance [sneridagh] (#88)
  • Update relations on Check-In WorkingCopy, by trigger an ObjectModifiedEvent event black and flake8 formatting [2silver] (#89) 5.1.28 → 5.1.29

  • Update Dutch translations. [fredvd]
  • Fix German translations. [pbauer]
  • Fix French translations. [boulch, laulaz] 4.4.6 → 4.4.7

Bug fixes: 4.1.6 → 4.1.7

Bug fixes:

  • System Message: WARNING/2 (<string>, line 201); backlink

    Duplicate explicit target name: "plonehotfix20210518".

    Avoid Server Side Request Forgery via lxml parser. Taken over from PloneHotfix20210518. [maurits] (#3274) 2.0.38 → 2.0.39

Bug fixes:

  • Added upgrade to 5213, Plone 5.2.5. [maurits] (#525) 3.1.1 → 3.1.2

Bug fixes:

  • tweak wording ("unhide" vs. "show" viewlets), remove old Trac reference (#23)

plone.contentrules: 2.1.0 → 2.1.2

Bug fixes:

  • Fixed another deprecation warning for ObjectEvent from zope.component. [maurits] (#3130)
  • Fix fields in the interface IRuleConfiguration: enabled, stop and cascading are not required. [andreesg] (#11)

plone.dexterity: 2.10.0 → 2.10.2

Bug fixes:

  • Fix export/import of content in Python 3. Fixes issue 124. Also fixes the tests in combination with newest Products.GenericSetup 2.1.2. [maurits] (#124)
  • Officially support Plone 6.0 and Python 3.9. No code changes. [maurits] (#1)

plone.folder: 3.0.3 → 3.1.0

New features:

  • Restore webdav support [frapell] (#16)

plone.formwidget.namedfile: 2.1.0 → 2.1.2

Bug fixes:

  • Fix issue where already uploaded images were lost when file validation error occurs ( [fRiSi] (#46)
  • Fix NamedFileWidget bug when trying to create value from None. [vangheem] (#35)
  • Don't check for hard coded image size in test. [agitator] (#40)

plone.memoize: 2.1.0 → 2.1.1

Bug fixes:

  • Work in a FIPS enabled environment by using SHA1 instead of MD5 for computing the cache key. [frapell] (#25)

plone.namedfile: 5.4.0 → 5.5.1

New features:

  • System Message: WARNING/2 (<string>, line 275); backlink

    Duplicate explicit target name: "products.plonehotfix20210518".

    Prevent stored XSS from file upload (svg, html). Do this by implementing an allowlist of trusted mimetypes. You can turn this around by using a denylist of just svg, html and javascript. Do this by setting OS environment variable NAMEDFILE_USE_DENYLIST=1. From Products.PloneHotfix20210518. [maurits] (#3274)

Bug fixes:

  • Cache stable image scales strongly. When is available, this is already done. Otherwise, we should do this ourselves. Fixes issue 100. [maurits] (#100)

plone.registry: 1.1.6 → 1.2.1

New features:

  • Allow plone.schema.JSONField be stored in registry (as dict-like)
    [sneridagh] (#719)

Bug fixes:

  • Fix registry key validation regexp. [jensens] (#23)

plone.resource: 2.1.3 → 2.1.4

Bug fixes:

  • Do not throw an error when traversing to a FilesystemResourceDirectory (#31)

plone.restapi: 7.0.0 → 7.3.8

New features:

  • Adjust JSONField adapter to include widget name to use in serialization [sneridagh] (#1089)
  • Allow block transforms to run in "subblocks", discovered as the blocks field (or alternatively, data.blocks) in a block value. (#1085)
  • Allow passing use_site_search_settings=1 in the @search endpoint request, to follow Plone's ISearchSchema settings. (#1081)

Bug fixes:

  • Fix navigation endpoint sort by adding default sort_on='getObjPositionInParent' to the query. @valipod @tiberiuichim (#1107)
  • Fix startup on Plone 4 without [maurits] (#1166)
  • Fix error in Plone 4.3 that installed the blocks profile when installing the package, instead of the default profile. Fix #895 <> [wesleybl] (#895)
  • Fixed a deprecation warning when importing UnrestrictedUser from AccessControl (#1129)
  • Fix @workflow when executing user has no permissions to access review_history in target state. [deiferni] (#999)
  • Fix @history when full history is empty. [deiferni] (#1113)
  • Fix @querystring-search endpoint with correct sort_order @mamico (#1108)
  • Fix @search endpoint with use_site_search_settings flag, for VHM PhysicalRoot scenarios @tiberiuichim (#1105)
  • Fixes if old p.schema is used [sneridagh] (#1103)
  • Fixes build was using the released version [sneridagh] (#1090)
  • @contextnavigation endpoint does not honor nav_title index [sneridagh] (#1092)
  • Do not log "No such index" warnings for knonw indexes like metadata_fields @cekk (#987)
  • Respect "Access inactive portal content" permission in @search endpoint [cekk] (#1066)
  • Add GSM unsubscribe for test registered adapters in block transformer tests @tiberiuichim (#1083)
  • Pin some package versions to fix buildout @tiberiuichim (#1086)
  • Re-release 7.3.6 since it was a brown bag release.

plone.schema: 1.2.1 → 1.3.0

New features:

  • Adjust JSONField to include widget name [sneridagh] (#10)

plone.schemaeditor: 3.0.2 → 3.0.3

Bug fixes:

  • Make test 'Add a choice field with a named vocabulary' more robust. [wesleybl] (#84)

plone.staticresources: 1.4.2 → 1.4.3

Bug fixes:

  • Reduce bundle sizes by not inlining fonts in each bundle - moved plone-fontello and glyphicons to their own bundle. Icon font bundles use fonts from ++plone++static/fonts/. Based on mockup 1.2.6. [agitator] (#131)

plone.testing: 8.0.2 → 8.0.3

Bug fixes:

  • fix waitress deprecation warning (#77)
  • Catch OSError in test teardown when removing a temporary directory. Fixes issue 79. [maurits] (#79)

Products.CMFCore: 2.5.0 → 2.5.4

  • Fix code and tests when running on Products.GenericSetup >= 2.1.2, thus requiring at least that version.
  • Do not break at startup when subscribers.zcml is included but no portal_catalog object is in the database, e. g. when starting for the first time. (#115)
  • Avoid DeprecationWarning for changed import location for rfc1123_date
  • Fix several DeprecationWarnings during unit tests (#112)
  • Set Cache-Control header in '304 Not Modified' response case as well. (#111)
  • Make sure getSkinNameFromRequest only returns sane values (#109)
  • Fix Python 3 incompatibility in CookieCrumbler.credentialsChanged

Products.CMFDiffTool: 3.3.2 → 3.3.3

Bug fixes:

  • Added XSS fix from PloneHotfix20210518 for inline diff. See vulnerability. The first version of the hotfix escaped all html. Now for the rich text field, use the safe html transform, otherwise the inline diff is no longer inline. [maurits] (#39)

Products.CMFPlone: 5.2.4 → 5.2.5rc1

New features:

  • Add PLONE52MARKER Python marker [sneridagh] (#3257)

Bug fixes:

Products.DCWorkflow: 2.4.1 → 2.5.0

New features:

  • Add support for Python 3.9.

Bug fixes:

  • Avoid a deprecation warning when importing gather_permissions (#20)
  • Avoid a TypeError when adding a managed group to a workflow (#18)

Products.GenericSetup: 2.1.1 → 2.1.3

  • Fix Issue #83 where empty Versions caused an Error [gogobd]
  • Document and fix behavior of methods that open/read/write filesystem files (#107)
  • Fix snapshot comparisons under Python 3 (#85)

Products.isurlinportal: 1.1.1 → 1.2.0

New features:

  • Treat urls like without slashes as outside the portal. Some browsers would redirect to, some would redirect to a non-existing local page. We never want this, because this is likely a hack attempt. This vulnerability was discovered and reported by Yuji Tounai of Mitsui Bussan Secure Directions, Inc. See security advisory 1. [maurits] (#1)

Products.PlonePAS: 6.0.7 → 6.0.8

Bug fixes:

  • Fixed tests for cookie auth to also work with zope.interface 5.3.0. This uses simpler representations for interfaces. Tests now pass with earlier and later versions. [maurits] (#237)

Products.PluggableAuthService: 2.6.1 → 2.6.4

  • Fix method signature of PluggableAuthService._setObject (#95)
  • Fix tests when running on Products.GenericSetup >= 2.1.2, thus requiring at least that version.
  • ZMI: use flexbox for twolist macro, fixes removing roles in Safari browser. (#91)
  • Fix CSRF token access for tigher TAL path expression security in Zope 5.2.1 (#99)
  • Changed adding object gui to modal window
  • Handle login issues for cookie based login when came_from is missing (#65)
  • Tighten down security on several login string transformation methods (#88)

Products.PluginRegistry: 1.8 → 1.9

  • add support for Python 3.9
  • change package structure to move package code into a src subfolder

Products.PortalTransforms: 3.1.10 → 3.1.11

Bug fixes:

  • Split method cleaner_options off from scrub_html in safe_html transform. This makes it easier to monkey patch or subclass. [maurits] (#44)

  • System Message: WARNING/2 (<string>, line 541); backlink

    Duplicate explicit target name: "products.plonehotfix20210518".

    REST transform: ignore warnings and stylesheet keyword arguments. They can be abused. From Products.PloneHotfix20210518. [maurits] (#3274)

Products.Sessions: 4.8 → 4.9

  • Add support for Python 3.9

Products.SiteErrorLog: 5.4 → 5.5

  • Add support for Python 3.9
  • Update configuration for version 5 of isort 1.4.2 → 1.4.3

Bug fixes:

  • Fix issue where versioning dynamic content types with blob fields broke after a schema update due to change in dynamic schema identifiers since plone.dexterity >= 2.10.0 [datakurre] (#57) 4.3.2 → 5.0.0 2.1.1 → 2.1.2

Bug fixes:

  • Fix traversal handling of subobjects with ids that may also be image scales. [rpatterson]

Products.Archetypes: 1.16.4 → 1.16.5

Bug fixes:

  • Fixed incompatibility with zope.component 5. zope.component.interfaces has long been a backwards compatibility import for zope.interface.interfaces, but not anymore. [maurits] (#462)

Project resources

Learn about Plone