-
-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Branch: refs/heads/master Date: 2021-07-09T16:22:29+02:00 Author: Maurits van Rees (mauritsvanrees) <[email protected]> Commit: plone/plone.namedfile@0b0cd85 Cache stable image scales strongly. When plone.app.imaging is available, this is already done. Otherwise, we should do this ourselves. Fixes plone/plone.namedfile#100. Files changed: A news/100.bugfix M plone/namedfile/scaling.zcml Repository: plone.namedfile Branch: refs/heads/master Date: 2021-07-11T11:10:17+02:00 Author: Jens W. Klein (jensens) <[email protected]> Commit: plone/plone.namedfile@8f92092 Merge pull request #101 from plone/maurits/stable-scales-stable-cache Cache stable image scales strongly. Files changed: A news/100.bugfix M plone/namedfile/scaling.zcml
- Loading branch information
Showing
1 changed file
with
21 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,39 +1,38 @@ | ||
| Repository: plone.app.event | ||
| Repository: plone.namedfile | ||
|
|
||
|
|
||
| Branch: refs/heads/3.2.x | ||
| Date: 2021-07-05T21:55:33+02:00 | ||
| Branch: refs/heads/master | ||
| Date: 2021-07-09T16:22:29+02:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <[email protected]> | ||
| Commit: https://github.com/plone/plone.app.event/commit/1c13394ec55f30f643dd13118b03848656db025a | ||
| Commit: https://github.com/plone/plone.namedfile/commit/0b0cd855f2f0ef006ff8ddad8b04d180a3e55994 | ||
|
|
||
| Do not allow file: protocol in ical url. | ||
| Cache stable image scales strongly. | ||
|
|
||
| Previously, only `file://` was disallowed, but this left room for relative paths. | ||
| Taken over from [PloneHotfix20210518](https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url). | ||
| When plone.app.imaging is available, this is already done. | ||
| Otherwise, we should do this ourselves. | ||
| Fixes https://github.com/plone/plone.namedfile/issues/100. | ||
|
|
||
| Files changed: | ||
| A news/3274.bugfix | ||
| M plone/app/event/ical/importer.py | ||
| M plone/app/event/tests/test_ical_import.py | ||
| A news/100.bugfix | ||
| M plone/namedfile/scaling.zcml | ||
|
|
||
| b'diff --git a/news/3274.bugfix b/news/3274.bugfix\nnew file mode 100644\nindex 00000000..70d2bf13\n--- /dev/null\n+++ b/news/3274.bugfix\n@@ -0,0 +1,4 @@\n+Do not allow ``file:`` protocol in ical url.\n+Previously, only ``file://`` was disallowed, but this left room for relative paths.\n+Taken over from `PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url>`_.\n+[maurits]\ndiff --git a/plone/app/event/ical/importer.py b/plone/app/event/ical/importer.py\nindex e5520b3e..a6eeb71c 100644\n--- a/plone/app/event/ical/importer.py\n+++ b/plone/app/event/ical/importer.py\n@@ -229,8 +229,8 @@ def no_file_protocol_url(value):\n \n This opens up security issues.\n """\n- if value and value.startswith("file://"):\n- raise Invalid(_(u"URLs with file:// are not allowed."))\n+ if value and value.startswith("file:"):\n+ raise Invalid(_(u"URLs with file: are not allowed."))\n return True\n \n \ndiff --git a/plone/app/event/tests/test_ical_import.py b/plone/app/event/tests/test_ical_import.py\nindex dffd9af9..16cadaa1 100644\n--- a/plone/app/event/tests/test_ical_import.py\n+++ b/plone/app/event/tests/test_ical_import.py\n@@ -73,3 +73,20 @@ def test_enable_ical_import(self):\n self.assertIn(\n \'URL to an external icalendar resource file\',\n self.browser.contents)\n+\n+ def test_constraint(self):\n+ self.portal.invokeFactory("Folder", "f1")\n+ f1 = self.portal["f1"]\n+ f1_url = f1.absolute_url()\n+ transaction.commit()\n+\n+ # Enable ical import.\n+ self.browser.open(f1_url + "/ical_import_settings/enable")\n+ self.browser.getControl("Confirm action").click()\n+\n+ # Set it to a file url.\n+ self.browser.open(f1_url + "/ical_import_settings")\n+ self.assertIn("URL to an external icalendar resource file", self.browser.contents)\n+ self.browser.getControl(name="form.widgets.ical_url").value = "file:///tmp/test.ical"\n+ self.browser.getControl(name="form.buttons.save").click()\n+ self.assertIn("URLs with file: are not allowed.", self.browser.contents)\n' | ||
| b'diff --git a/news/100.bugfix b/news/100.bugfix\nnew file mode 100644\nindex 0000000..2d9c017\n--- /dev/null\n+++ b/news/100.bugfix\n@@ -0,0 +1,5 @@\n+Cache stable image scales strongly.\n+When plone.app.imaging is available, this is already done.\n+Otherwise, we should do this ourselves.\n+Fixes `issue 100 <https://github.com/plone/plone.namedfile/issues/100>`_.\n+[maurits]\ndiff --git a/plone/namedfile/scaling.zcml b/plone/namedfile/scaling.zcml\nindex bf76834..e528232 100644\n--- a/plone/namedfile/scaling.zcml\n+++ b/plone/namedfile/scaling.zcml\n@@ -1,5 +1,7 @@\n <configure\n xmlns="http://namespaces.zope.org/zope"\n+ xmlns:cache="http://namespaces.zope.org/cache"\n+ xmlns:zcml="http://namespaces.zope.org/zcml"\n xmlns:browser="http://namespaces.zope.org/browser">\n <include package="zope.annotation" />\n <browser:page\n@@ -20,4 +22,21 @@\n factory=".scaling.DefaultImageScalingFactory"\n for="*"\n />\n+\n+ <!-- In plone.app.caching, image scales are weakly cached.\n+ But stable (uid) image scales should be strongly cached.\n+ When plone.app.imaging is available, this is already done.\n+ Otherwise, we should do this ourselves.\n+ See https://github.com/plone/plone.namedfile/issues/100 -->\n+ <configure zcml:condition="not-installed plone.app.imaging">\n+ <configure zcml:condition="installed z3c.caching">\n+ <include package="z3c.caching" />\n+ <include package="z3c.caching" file="meta.zcml" />\n+ <cache:ruleset\n+ for=".interfaces.IStableImageScale"\n+ ruleset="plone.stableResource"\n+ />\n+ </configure>\n+ </configure>\n+\n </configure>\n' | ||
|
|
||
| Repository: plone.app.event | ||
| Repository: plone.namedfile | ||
|
|
||
|
|
||
| Branch: refs/heads/3.2.x | ||
| Date: 2021-07-08T09:38:16+02:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <[email protected]> | ||
| Commit: https://github.com/plone/plone.app.event/commit/1ab5ad21da54fe23b6d31de43eaa1710e747cf8b | ||
| Branch: refs/heads/master | ||
| Date: 2021-07-11T11:10:17+02:00 | ||
| Author: Jens W. Klein (jensens) <[email protected]> | ||
| Commit: https://github.com/plone/plone.namedfile/commit/8f92092395da017f103063960816518411e9c58a | ||
|
|
||
| Merge pull request #335 from plone/hotfix-20210518-32x | ||
| Merge pull request #101 from plone/maurits/stable-scales-stable-cache | ||
|
|
||
| Do not allow file: protocol in ical url. [3.2.x] | ||
| Cache stable image scales strongly. | ||
|
|
||
| Files changed: | ||
| A news/3274.bugfix | ||
| M plone/app/event/ical/importer.py | ||
| M plone/app/event/tests/test_ical_import.py | ||
| A news/100.bugfix | ||
| M plone/namedfile/scaling.zcml | ||
|
|
||
| b'diff --git a/news/3274.bugfix b/news/3274.bugfix\nnew file mode 100644\nindex 00000000..70d2bf13\n--- /dev/null\n+++ b/news/3274.bugfix\n@@ -0,0 +1,4 @@\n+Do not allow ``file:`` protocol in ical url.\n+Previously, only ``file://`` was disallowed, but this left room for relative paths.\n+Taken over from `PloneHotfix20210518 <https://plone.org/security/hotfix/20210518/server-side-request-forgery-via-event-ical-url>`_.\n+[maurits]\ndiff --git a/plone/app/event/ical/importer.py b/plone/app/event/ical/importer.py\nindex e5520b3e..a6eeb71c 100644\n--- a/plone/app/event/ical/importer.py\n+++ b/plone/app/event/ical/importer.py\n@@ -229,8 +229,8 @@ def no_file_protocol_url(value):\n \n This opens up security issues.\n """\n- if value and value.startswith("file://"):\n- raise Invalid(_(u"URLs with file:// are not allowed."))\n+ if value and value.startswith("file:"):\n+ raise Invalid(_(u"URLs with file: are not allowed."))\n return True\n \n \ndiff --git a/plone/app/event/tests/test_ical_import.py b/plone/app/event/tests/test_ical_import.py\nindex dffd9af9..16cadaa1 100644\n--- a/plone/app/event/tests/test_ical_import.py\n+++ b/plone/app/event/tests/test_ical_import.py\n@@ -73,3 +73,20 @@ def test_enable_ical_import(self):\n self.assertIn(\n \'URL to an external icalendar resource file\',\n self.browser.contents)\n+\n+ def test_constraint(self):\n+ self.portal.invokeFactory("Folder", "f1")\n+ f1 = self.portal["f1"]\n+ f1_url = f1.absolute_url()\n+ transaction.commit()\n+\n+ # Enable ical import.\n+ self.browser.open(f1_url + "/ical_import_settings/enable")\n+ self.browser.getControl("Confirm action").click()\n+\n+ # Set it to a file url.\n+ self.browser.open(f1_url + "/ical_import_settings")\n+ self.assertIn("URL to an external icalendar resource file", self.browser.contents)\n+ self.browser.getControl(name="form.widgets.ical_url").value = "file:///tmp/test.ical"\n+ self.browser.getControl(name="form.buttons.save").click()\n+ self.assertIn("URLs with file: are not allowed.", self.browser.contents)\n' | ||
| b'diff --git a/news/100.bugfix b/news/100.bugfix\nnew file mode 100644\nindex 0000000..2d9c017\n--- /dev/null\n+++ b/news/100.bugfix\n@@ -0,0 +1,5 @@\n+Cache stable image scales strongly.\n+When plone.app.imaging is available, this is already done.\n+Otherwise, we should do this ourselves.\n+Fixes `issue 100 <https://github.com/plone/plone.namedfile/issues/100>`_.\n+[maurits]\ndiff --git a/plone/namedfile/scaling.zcml b/plone/namedfile/scaling.zcml\nindex bf76834..e528232 100644\n--- a/plone/namedfile/scaling.zcml\n+++ b/plone/namedfile/scaling.zcml\n@@ -1,5 +1,7 @@\n <configure\n xmlns="http://namespaces.zope.org/zope"\n+ xmlns:cache="http://namespaces.zope.org/cache"\n+ xmlns:zcml="http://namespaces.zope.org/zcml"\n xmlns:browser="http://namespaces.zope.org/browser">\n <include package="zope.annotation" />\n <browser:page\n@@ -20,4 +22,21 @@\n factory=".scaling.DefaultImageScalingFactory"\n for="*"\n />\n+\n+ <!-- In plone.app.caching, image scales are weakly cached.\n+ But stable (uid) image scales should be strongly cached.\n+ When plone.app.imaging is available, this is already done.\n+ Otherwise, we should do this ourselves.\n+ See https://github.com/plone/plone.namedfile/issues/100 -->\n+ <configure zcml:condition="not-installed plone.app.imaging">\n+ <configure zcml:condition="installed z3c.caching">\n+ <include package="z3c.caching" />\n+ <include package="z3c.caching" file="meta.zcml" />\n+ <cache:ruleset\n+ for=".interfaces.IStableImageScale"\n+ ruleset="plone.stableResource"\n+ />\n+ </configure>\n+ </configure>\n+\n </configure>\n' | ||
|
|