[triangle-zpug] Security hole fix?
Chris Calloway
cbc at unc.edu
Thu Feb 1 00:22:33 CET 2007
Robert Geiger wrote:
> I checked the Plone site, and there is no reference that I can find
> regarding this problem.
Ah, here it is:
http://svn.plone.org/svn/plone/CMFPlone/trunk/HISTORY.txt
Under Plone 2.5.1-rc1 - released September 11, 2006:
"Fix member portrait handling by automatically scaling all incoming
images using PIL. This will throw an IOError on any invalid image and
also save some bandwidth and space in the zodb. [alecm]"
There was a hotfix available while the release candidate was out. As far
as I can tell with a quick look, the hotfix has been removed since the
actual full point release. I think this was because I remember some
people being kinda upset about this being called a security exploit
since the uploaded scripts in place of images couldn't actually be
executed in a plone page. The were just being used by spammers to store
redirects, which they could already do if given a personal folder and
permission to write to it.
The guy who fixed it (Alec Mitchell) is one of our sponsored sprinters
for the BBQ sprint.
--
Sincerely,
Chris Calloway
http://www.seacoos.org
office: 332 Chapman Hall phone: (919) 962-4323
mail: Campus Box #3300, UNC-CH, Chapel Hill, NC 27599
More information about the TriZPUG
mailing list