CSRF fixes for Plone 4

Navigation

Verified details

These details have been verified by PyPI
Owner
organization icon Plone
Maintainers
Avatar for vangheem from gravatar.com vangheem

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: GPL version 2

Author: Plone Foundation

Tags plone, csrf

Classifiers

Project description

plone4.csrffixes

The package aims to backport the auto CSRF implementation from Plone 5 to Plone 4.

The reason this is necessary is because there are a lot of CSRF problem with the ZMI that Zope2 will never be able to fix.

See https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf for more details.

Installation

Plone 4.3, 4.2, 4.1 and 4.0

add plone4.csrffixes to eggs list:

eggs =
    ...
    plone4.csrffixes
    ...

add a new version pin for plone.protect, plone.keyring and plone.locking:

[versions]
...
plone.protect = 3.0.14
plone.keyring = 3.0.1
plone.locking = 2.0.8
...

Plone 4.0 and 4.1

If lxml is not already included in your site, this package has a dependency on lxml and will pull it in when installed.

We recommend pinning to version 2.3.6 of lxml. If you use a version of lxml > 3, you’ll need to also install the cssselect package. Since version 1.0.4 we require cssselect in our setup.py so it is automatically installed.

Additional addon versions

To prevent some write on read errors that might cause false positives with the auto csrf protection, these version pins have been reported to work upgrading to:

Products.CMFQuickInstallerTool = 3.0.12
Products.PlonePAS = 5.0.4

Changelog

1.0.6 (2015-10-12)

  • add a trailing slash on the site referrer matching [vangheem]

1.0.5 (2015-10-08)

  • Handle TypeError caused by getToolByName on an invalid context [vangheem]

1.0.4 (2015-10-07)

  • add cssselect dependency for people who install lxml > 3 by mistake on Plone 4.0 and 4.1 [vangheem]

1.0.3 (2015-10-07)

  • prevent TypeError from occurring when checking commit of non-string keys on an OOBTree instance. Fixes #5 [vangheem]

  • Check to see if tinymce ajax is already patched or not. This prevents JavaScript recursion error. [awello, cekk]

1.0.2 (2015-10-06)

  • use a better guess at if we should rewrite urls for zmi [vangheem]

1.0.1 (2015-10-06)

  • correctly check for origin header [vangheem]

1.0.0 (2015-10-06)

  • initial release

Project details

Verified details

These details have been verified by PyPI
Owner
organization icon Plone
Maintainers
Avatar for vangheem from gravatar.com vangheem

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: GPL version 2

Author: Plone Foundation

Tags plone, csrf

Classifiers

Release history Release notifications | RSS feed

1.1.1

1.1

1.0.9

1.0.8

This version

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

plone4.csrffixes-1.0.6.zip (20.1 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page