[triangle-zpug] Security hole fix?

Chris Calloway cbc at unc.edu
Thu Feb 1 00:22:33 CET 2007


Robert Geiger wrote:
> I checked the Plone site, and there is no reference that I can find 
> regarding this problem.

Ah, here it is:

http://svn.plone.org/svn/plone/CMFPlone/trunk/HISTORY.txt

Under Plone 2.5.1-rc1 - released September 11, 2006:

"Fix member portrait handling by automatically scaling all incoming 
images using PIL. This will throw an IOError on any invalid image and 
also save some bandwidth and space in the zodb. [alecm]"

There was a hotfix available while the release candidate was out. As far 
as I can tell with a quick look, the hotfix has been removed since the 
actual full point release. I think this was because I remember some 
people being kinda upset about this being called a security exploit 
since the uploaded scripts in place of images couldn't actually be 
executed in a plone page. The were just being used by spammers to store 
redirects, which they could already do if given a personal folder and 
permission to write to it.

The guy who fixed it (Alec Mitchell) is one of our sponsored sprinters 
for the BBQ sprint.

-- 
Sincerely,

Chris Calloway
http://www.seacoos.org
office: 332 Chapman Hall   phone: (919) 962-4323
mail: Campus Box #3300, UNC-CH, Chapel Hill, NC 27599




More information about the triangle-zpug mailing list