20200121

CVE numbers: CVE-2020-7936, CVE-2020-7937, CVE-2020-7938, CVE-2020-7939, CVE-2020-7940, CVE-2020-7941.

Versions Affected: All supported Plone versions (4.3.15 and any earlier 4.x version, 5.2.1 and any earlier 5.x version). Previous versions could be affected but have not been tested.

Versions Not Affected: None.

Nature of vulnerability:

The patch will address several security issues:

• Privilege escalation when plone.restapi is installed. Reported and fixed by Lukas Graf and Niklaus Johner.
• An open redirection on the login form and possibly other places where redirects are done.
  The isURLInPortal check that is done to avoid linking to an external site could be tricked into accepting malicious links. Reported by Damiano Esposito.
• Password strength checks were not always checked. Reported by Ben Kummer.
• You might be able to PUT (overwrite) some content without needing write permission.
  This seems hard to do in practice. This fix is only needed when you use plone.app.contenttypes. Reported and fixed by Alessandro Pisa.
• SQL quoting in DTML or in connection objects was insufficient, leading to possible SQL injections. This is a problem in Zope. If you use Zope without Plone, this hotfix should work for you too. Reported and fixed by Michael Brunnbauer and Michael Howitz.
• Cross Site Scripting (XSS) in the title field on plone 5.0 and higher. Reported by Marcos Valle.

Version support: The hotfix is officially supported by the Plone security team on the following versions of Plone in accordance with the Plone version support policy: 4.3.19, and 5.0.10, 5.1.6, 5.2.1. It was also tested on Plone 4.2.7. It is recommended also for Plone 4.0 and 4.1, but this has not been tested.

The fixes included here will be incorporated into subsequent releases of Plone, so Plone 4.3.20, 5.1.7, 5.2.2 and greater should not require this hotfix. 

Warning: The hotfix has not been fully tested with Python 2.6. It should work though. If you find a problem due to this, we are happy to try to release an update. Python 2.6 has not been supported by the Python Software Foundation since the end of 2013. Even Python 2.7 is already End Of Life since the beginning of 2020. It gets ever more difficult to test on Python 2.6. If you are using Plone 4 with Python 2.6 you need to upgrade soon. Note that currently Plone 5.2 is the only Plone version that runs on Python versions supported upstream (3.6 and higher).

Installation instructions

The procedure for installing Hotfix 20200121 differs slightly based on which version of Plone or Zope you are running, and whether you installed Plone or Zope using buildout.

Backup First!

It is prudent to backup all your data and installation files before installing any Plone add-on, including this hotfix.  If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Recommended Install Procedure

If you're less experienced with Plone, the easiest way to install Hotfix 20200121 on Plone 4.0 - Plone 5.1 (not 5.2) is as follows:

1) Download the hotfix archive using the link above.  If you have an md5 tool available (Linux or Mac), use it to check that the signature matches.

2) Place the downloaded zip file into the "products" directory in your Zope instance. On pre-buildout installations, this will be "Products".

3) Unpack the zip file.

On Linux or Mac, the command is:

 $ unzip PloneHotfix20200121-1.1.zip

On Windows, use your favorite archiving product. (7Zip is a good choice).

4)  Restart your Zope instance in foreground mode to ensure that the hotfix is installed.

On Mac or Linux, the command is typically:

 $ bin/instance fg

On Windows, the command is typically:

> bin\instance.exe fg

Zope will start in the foreground, and you should see the message "INFO PloneHotfix20200121 Hotfix installed." during startup.

5) Stop the foreground instance of Zope by hitting CTRL-C

6) Restart your Zope instance.

On Mac or Linux, the command is typically:

$ bin/instance start

On Windows, the command is typically:

> bin\instance.exe start

If you're using ZEO clients, change instance to client1, client2, etc., in the above commands.

Installing with Buildout

If you are an experienced Plone administrator, and you are using a buildout-based installation of Plone, you may choose to install Hotfix 20200121 with buildout. For Plone 5.2 this is the only option, because there is no products directory anymore. However, if you choose to do this, you must be certain that you will not accidentally overwrite Plone components with newer versions.  This is particularly likely if you try to use buildout with older versions of Plone.

If you are not sure what you're doing, please use the "Recommended Installation Instructions" above if possible.

Unless you have a very recent buildout, you may get this error when running buildout, caused by changes to the Python Packaging Index:

Error: Couldn't find a distribution for 'Products.PloneHotfix20200121==1.1'.

The most likely cause is that your buildout is trying to download the hotfix via http. You should use the https PyPI index. In the buildout section of your buildout, make sure you use the correct index:

[buildout]
index = https://pypi.org/simple/

A combination of setuptools 33.1.1 and zc.buildout 2.9.6 works correctly, if you want to be conservative.

1) Find your buildout.cfg file, typically located in the "zinstance" subdirectory of your Plone installation directory. (If you're using ZEO clients, the subdirectory may be called "zeoserver").

2) Open your buildout.cfg file in your text editor. 

3) Scroll down to the "eggs" section of the buildout and add Products.PloneHotfix20200121, e.g.

[buildout]
...
eggs = 
    Products.PloneHotfix20200121

[versions]
Products.PloneHotfix20200121 = 1.1

4) Rerun buildout.

On Mac or Linux, the command is:

$ ./bin/buildout -Nv

On windows, the command is:

> bin\buildout.exe -Nv

5) Restart your Zope instance.

On Mac or Linux, the command is:

$ ./bin/instance start

On Windows, the command is:

> bin\instance.exe start

Alternatively, on Windows, you may restart the Zope service via the Windows Services control panel.

If you're using ZEO clients, change instance to client1, client2, etc., in the above commands.

Confirming Installation

On startup, the hotfix will log a number of messages to the Zope event log. You can use this to confirm the patch is successfully installed. They look like this:

2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Applied sql_quote patch
2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Applied in_portal patch
2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Applied password_validation patch
2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Applied pac patch
2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Applied content patch
2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Applied layout patch
2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Applied restapi_local_roles patch
2020-01-21 13:10:26 INFO Products.PloneHotfix20200121 Hotfix installed

Not all patches are needed in all Plone versions, and may depend on which extra packages you have installed. For example the 'pac' patch is only applied when you use plone.app.contenttypes. Patches that are not relevant for you, do not appear in the log.

If the hotfix tries to apply a patch and there is an error, then you may have a setup that we did not consider. Please investigate then. You will get an error like this, followed by a traceback:

2020-01-21 13:10:26 ERROR Products.PloneHotfix20200121 Could not apply content