Zope 4.8.7 → 4.8.10
-------------------
- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. works the same as before. (CVE-2023-42458) See security advisory.
- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
- Update RestrictedPython to version 5.4 to fix a potential a security issue. (CVE-2023-41039)
- Update AccessControl to version 4.4 to fix a potential a security issue. (CVE-2023-41050)
- Sanitize tainting fixing #1095
- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
- Only set response header Content-Type as text/html on exception views when the response has content. (#1089)
Update dependencies to the latest releases for each supported Python version.
plone.recipe.zope2instance: 6.12.0 → 6.12.1
-------------------------------------------
Documentation:
- Update README: for ``RotatingFileHandler`` ``maxCount`` is not a valid keyword argument.
Use ``backupCount``.
[gforcada] (#190)
plone.releaser: 1.8.8 → 1.8.9
-----------------------------
Bug fixes:
- Allow disabling PyPI rights check, as this does not know how to check organisations.
Set env variable ``PLONE_RELEASER_CHECK_PYPI_ACCESS=0`` if you want to disable it.
Also, we do not check PyPI if the user is `__token__`, so using an API token.
[maurits] (#50)
- Fix missing changelog entries when running ``bin/manage changelog``.
[maurits] (#60)
Plone: 5.2.13 → 5.2.14
----------------------
Bug fixes:
- Release Plone 5.2.14.
[maurits]
plone.app.multilingual: 5.6.4 → 5.6.6
-------------------------------------
Bug fixes:
- Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``.
[maurits] (#304)
- Fix ``set_recursive_language`` to actually find child objects.
[maurits] (#304)
- Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred.
[maurits] (#304)
- Do not unset the language on the Indonesian root language folder when saving the control panel.
This language has ``id`` as code. This is not allowed as an id in Plone, so it is created as ``id-id`` instead.
This needs some special handling.
Added upgrade to recursively fix this language folder to set the Indonesian language. This is only done when the folder itself has the wrong language.
[maurits] (#304)
plone.app.upgrade: 2.1.6 → 2.1.7
--------------------------------
Bug fixes:
- Added upgrade to 5222, Plone 5.2.14.
[maurits] (#5222)
plone.namedfile: 5.6.0 → 5.6.1
------------------------------
Bug fixes:
- Fix stored XSS (Cross Site Scripting) for SVG images.
Done by forcing a download instead of displaying inline.
See `security advisory `_.
[maurits] (#1)
plone.restapi: 7.8.2 → 7.8.3
----------------------------
Bug fixes:
- Fix content serializer with an old version of an item that was renamed. @davisagli (#1651)
Products.CMFCore: 2.7.0 → 2.7.1
-------------------------------
- Make ``decodeFolderFilter`` and ``encodeFolderFilter`` non-public.
This is the workaround from `CVE-2023-36814 `_.
Products.CMFPlone: 5.2.13 → 5.2.14
----------------------------------
Bug fixes:
- Update metadata version to 5222, Plone 5.2.14.
[maurits] (#5222)