Zope: 4.5.5 → 4.6.3 ------------------- plone.recipe.zope2instance: 6.8.3 → 6.10.0 ------------------------------------------ New features: - Allow to customize the WSGI pipeline [ale-rt, jensens] (#116) - Add repoze.profile profiling middleware support [jensens] (#129) - Make any ctl script python-env aware [sneridagh] (#162) - Added support for Python 3.9 and restored support for Python 3.5 (needed for Zope 4) [dataflake] (#164) Bug fixes: - Enable both weekly and manual builds for GitHub Actions [jugmac00] (#169) - Fix unsupported syntax in the requirements files which prevented to evaluate the specified constraints during test runs [jugmac00]. (#171) - Applied code style black and isort with Plone/black rules, includes tox/GH-Actions [jensens] (#175) - Fixed ``$PYTHONSTARTUP`` file support for the ``debug`` command under Python 3 [dataflake] (#167) i18ndude: 5.3.4 → 5.4.0 ----------------------- New features: - ``i18ndude rebuild-pot --exclude="name1 name2"`` now also accepts directory names for exclusion. Excluding a directory name will exclude all files in and below the given directory, but only if the directory name exactly matches a exclusion name (no globs, no substring match). This change now also results in the hardcoded exclusions for 'tests' and 'docs' to actually work. (#86) Bug fixes: - Test with GitHub Actions instead of Travis CI. [maurits] (#83) - Support Python 3.9. No code changes were needed. [maurits] (#83) - Do not raise AttributeError when content is None. (#84) Products.ExternalMethod: 4.4 → 4.5 ---------------------------------- - update configuration for version 5 of ``isort`` - add support for Python 3.9 Products.PythonScripts: 4.12 → 4.13 ----------------------------------- - make sure "Manager" users can always modify proxy roles (`#50 `_) - add support for Python 3.9 - update configuration for version 5 of ``isort`` diazo: 1.4.0 → 1.4.1 -------------------- Bug fixes: - Fix problems with tox4 and simplify tox and test setup. [loechel] (#80) mockup: 3.2.5 → 3.2.6 --------------------- Bug fixes: - Remove fonts from patterns to avoid multiple inline includes. [agitator] (#1042) Plone: 5.2.4 → 5.2.5 -------------------- Bug fixes: - Release Plone 5.2.5 final [maurits] plone.api: 1.10.4 → 1.11.0 -------------------------- New features: - Drop support for Plone 4.3, 5.0, 5.1, add support for 6.0. The code might still work, but it is no longer tested. You can use releases in the 1.10 series on the older versions. [maurits] (#431) Bug fixes: - Add tests to verify that the intids utility is correct after moving content. [ale-rt, maurits] (#430) - Improve tox.ini so that plone.api could be tested locally. Add all tests to travis-ci config. Add .editorconfig file to plone.api to help enforce coding conventions [loechel] (#448) - Fix plone.api.content.find to respect object_provides "not" queries. Fixes: #451 [thet] (#452) plone.app.content: 3.8.7 → 3.8.8 -------------------------------- Bug fixes: - Allow to use the @@getSource view when we are in an add form and we do not have the "Modify portal content" permission (#221) - Call fileUpload view explict with @@ to avoid possible plone.rest clashes. [jensens] (#225) - Fixed stored XSS in folder contents. From the `PloneHotfix20210518 contents fix `_. [maurits] (#3274) - Fixed stored XSS from user fullname and possibly other places where ``getVocabulary`` is called. This is an alternative to the ``plone.app.users`` workaround from the `PloneHotfix20210518 fullname fix `_. [maurits] (#3274) plone.app.contentmenu: 2.3.2 → 2.3.3 ------------------------------------ Bug fixes: - Updated README.rst. [ksuess, jensens] (#1) plone.app.event: 3.2.10 → 3.2.12 -------------------------------- Bug fixes: - Do not allow ``file:`` protocol in ical url. Previously, only ``file://`` was disallowed, but this left room for relative paths. Taken over from `PloneHotfix20210518 `_. [maurits] (#3274) - Fix #330 traversal problem in the portlet_events template when an object in a folder is called "image" (backport from master) [sneridagh] (#330) - Fix events portlet error when rendering with thumbnails suppressed [alecpm] (#332) plone.app.iterate: 3.3.15 → 4.0.1 --------------------------------- New features: - Add proper support for DX folderish content [sneridagh] (#92) Bug fixes: - Fix checkin/checkout process for containers, since there was an annotation left to "reset" (pos) on checkout and it broke the sections viewlet [sneridagh] (#93) - Do not break if some custom code provides an alias for Products.Archetypes (#85) - Black and pep8 compliance [sneridagh] (#88) - Update relations on Check-In WorkingCopy, by trigger an ObjectModifiedEvent event black and flake8 formatting [2silver] (#89) plone.app.locales: 5.1.28 → 5.1.29 ---------------------------------- - Update Dutch translations. [fredvd] - Fix German translations. [pbauer] - Fix French translations. [boulch, laulaz] plone.app.portlets: 4.4.6 → 4.4.7 --------------------------------- Bug fixes: - Only allow http and https urls in RSS portlet. From `Products.PloneHotfix20210518 `_. [maurits] (#3274) plone.app.theming: 4.1.6 → 4.1.7 -------------------------------- Bug fixes: - Avoid Server Side Request Forgery via lxml parser. Taken over from `PloneHotfix20210518 `_. [maurits] (#3274) plone.app.upgrade: 2.0.38 → 2.0.39 ---------------------------------- Bug fixes: - Added upgrade to 5213, Plone 5.2.5. [maurits] (#525) plone.app.viewletmanager: 3.1.1 → 3.1.2 --------------------------------------- Bug fixes: - tweak wording ("unhide" vs. "show" viewlets), remove old Trac reference (#23) plone.contentrules: 2.1.0 → 2.1.2 --------------------------------- Bug fixes: - Fixed another deprecation warning for ``ObjectEvent`` from ``zope.component``. [maurits] (#3130) - Fix fields in the interface IRuleConfiguration: enabled, stop and cascading are not required. [andreesg] (#11) plone.dexterity: 2.10.0 → 2.10.2 -------------------------------- Bug fixes: - Fix export/import of content in Python 3. Fixes `issue 124 `_. Also fixes the tests in combination with newest ``Products.GenericSetup`` 2.1.2. [maurits] (#124) - Officially support Plone 6.0 and Python 3.9. No code changes. [maurits] (#1) plone.folder: 3.0.3 → 3.1.0 --------------------------- New features: - Restore webdav support [frapell] (#16) plone.formwidget.namedfile: 2.1.0 → 2.1.2 ----------------------------------------- Bug fixes: - Fix issue where already uploaded images were lost when file validation error occurs (https://github.com/plone/plone.formwidget.namedfile/issues/46) [fRiSi] (#46) - Fix `NamedFileWidget` bug when trying to create value from `None`. [vangheem] (#35) - Don't check for hard coded image size in test. [agitator] (#40) plone.memoize: 2.1.0 → 2.1.1 ---------------------------- Bug fixes: - Work in a FIPS enabled environment by using SHA1 instead of MD5 for computing the cache key. [frapell] (#25) plone.namedfile: 5.4.0 → 5.5.1 ------------------------------ New features: - Prevent stored XSS from file upload (svg, html). Do this by implementing an allowlist of trusted mimetypes. You can turn this around by using a denylist of just svg, html and javascript. Do this by setting OS environment variable ``NAMEDFILE_USE_DENYLIST=1``. From `Products.PloneHotfix20210518 `_. [maurits] (#3274) Bug fixes: - Cache stable image scales strongly. When plone.app.imaging is available, this is already done. Otherwise, we should do this ourselves. Fixes `issue 100 `_. [maurits] (#100) plone.registry: 1.1.6 → 1.2.1 ----------------------------- New features: - Allow plone.schema.JSONField be stored in registry (as dict-like) [sneridagh] (#719) Bug fixes: - Fix registry key validation regexp. [jensens] (#23) plone.resource: 2.1.3 → 2.1.4 ----------------------------- Bug fixes: - Do not throw an error when traversing to a FilesystemResourceDirectory (#31) plone.restapi: 7.0.0 → 7.3.8 ---------------------------- New features: - Adjust JSONField adapter to include widget name to use in serialization [sneridagh] (#1089) - Allow block transforms to run in "subblocks", discovered as the ``blocks`` field (or alternatively, ``data.blocks``) in a block value. (#1085) - Allow passing ``use_site_search_settings=1`` in the ``@search`` endpoint request, to follow Plone's ``ISearchSchema`` settings. (#1081) Bug fixes: - Fix navigation endpoint sort by adding default `sort_on='getObjPositionInParent'` to the query. @valipod @tiberiuichim (#1107) - Fix startup on Plone 4 without plone.app.contenttypes. [maurits] (#1166) - Fix error in Plone 4.3 that installed the blocks profile when installing the package, instead of the default profile. Fix `#895 ` [wesleybl] (#895) - Fixed a deprecation warning when importing UnrestrictedUser from AccessControl (#1129) - Fix ``@workflow`` when executing user has no permissions to access ``review_history`` in target state. [deiferni] (#999) - Fix ``@history`` when full history is empty. [deiferni] (#1113) - Fix ``@querystring-search`` endpoint with correct sort_order @mamico (#1108) - Fix ``@search`` endpoint with use_site_search_settings flag, for VHM PhysicalRoot scenarios @tiberiuichim (#1105) - Fixes if old p.schema is used [sneridagh] (#1103) - Fixes build was using the released version [sneridagh] (#1090) - @contextnavigation endpoint does not honor nav_title index [sneridagh] (#1092) - Do not log "No such index" warnings for knonw indexes like metadata_fields @cekk (#987) - Respect "Access inactive portal content" permission in @search endpoint [cekk] (#1066) - Add GSM unsubscribe for test registered adapters in block transformer tests @tiberiuichim (#1083) - Pin some package versions to fix buildout @tiberiuichim (#1086) - Re-release 7.3.6 since it was a brown bag release. plone.schema: 1.2.1 → 1.3.0 --------------------------- New features: - Adjust JSONField to include widget name [sneridagh] (#10) plone.schemaeditor: 3.0.2 → 3.0.3 --------------------------------- Bug fixes: - Make test 'Add a choice field with a named vocabulary' more robust. [wesleybl] (#84) plone.staticresources: 1.4.2 → 1.4.3 ------------------------------------ Bug fixes: - Reduce bundle sizes by not inlining fonts in each bundle - moved plone-fontello and glyphicons to their own bundle. Icon font bundles use fonts from ++plone++static/fonts/. Based on mockup 1.2.6. [agitator] (#131) plone.testing: 8.0.2 → 8.0.3 ---------------------------- Bug fixes: - fix waitress deprecation warning (#77) - Catch OSError in test teardown when removing a temporary directory. Fixes `issue 79 `_. [maurits] (#79) Products.CMFCore: 2.5.0 → 2.5.4 ------------------------------- - Fix code and tests when running on ``Products.GenericSetup >= 2.1.2``, thus requiring at least that version. - Do not break at startup when ``subscribers.zcml`` is included but no ``portal_catalog`` object is in the database, e. g. when starting for the first time. (`#115 `_) - Avoid DeprecationWarning for changed import location for ``rfc1123_date`` - Fix several DeprecationWarnings during unit tests (`#112 `_) - Set Cache-Control header in '304 Not Modified' response case as well. (`#111 `_) - Make sure ``getSkinNameFromRequest`` only returns sane values (`#109 `_) - Fix Python 3 incompatibility in ``CookieCrumbler.credentialsChanged`` Products.CMFDiffTool: 3.3.2 → 3.3.3 ----------------------------------- Bug fixes: - Added XSS fix from PloneHotfix20210518 for inline diff. See `vulnerability `_. The first version of the hotfix escaped all html. Now for the rich text field, use the safe html transform, otherwise the inline diff is no longer inline. [maurits] (#39) Products.CMFPlone: 5.2.4 → 5.2.5rc1 ----------------------------------- New features: - Add PLONE52MARKER Python marker [sneridagh] (#3257) Bug fixes: - Removed the docstring from various methods to avoid making them available via a url. From the `Products.PloneHotfix20210518 reflected XSS fix `_. [maurits] (#3274) - Add the remote code execution fix from the `Products.PloneHotfix20210518 expressions patch `_. We need this because Zope 4.6.2 is too strict for us. [maurits] (#3274) Products.DCWorkflow: 2.4.1 → 2.5.0 ---------------------------------- New features: - Add support for Python 3.9. Bug fixes: - Avoid a deprecation warning when importing ``gather_permissions`` (`#20 `_) - Avoid a TypeError when adding a managed group to a workflow (`#18 `_) Products.GenericSetup: 2.1.1 → 2.1.3 ------------------------------------ - Fix Issue #83 where empty Versions caused an Error [gogobd] - Document and fix behavior of methods that open/read/write filesystem files (`#107 `_) - Fix snapshot comparisons under Python 3 (`#85 `_) Products.isurlinportal: 1.1.1 → 1.2.0 ------------------------------------- New features: - Treat urls like ``https:example.org`` without slashes as outside the portal. Some browsers would redirect to example.org, some would redirect to a non-existing local page. We never want this, because this is likely a hack attempt. This vulnerability was discovered and reported by Yuji Tounai of Mitsui Bussan Secure Directions, Inc. See `security advisory 1 `_. [maurits] (#1) Products.PlonePAS: 6.0.7 → 6.0.8 -------------------------------- Bug fixes: - Fixed tests for cookie auth to also work with `zope.interface` 5.3.0. This uses simpler representations for interfaces. Tests now pass with earlier and later versions. [maurits] (#237) Products.PluggableAuthService: 2.6.1 → 2.6.4 -------------------------------------------- - Fix method signature of ``PluggableAuthService._setObject`` (`#95 `_) - Fix tests when running on ``Products.GenericSetup >= 2.1.2``, thus requiring at least that version. - ZMI: use flexbox for twolist macro, fixes removing roles in Safari browser. (`#91 `_) - Fix CSRF token access for tigher TAL path expression security in Zope 5.2.1 (`#99 `_) - Changed adding object gui to modal window - Handle login issues for cookie based login when ``came_from`` is missing (`#65 `_) - Tighten down security on several login string transformation methods (`#88 `_) Products.PluginRegistry: 1.8 → 1.9 ---------------------------------- - add support for Python 3.9 - change package structure to move package code into a ``src`` subfolder Products.PortalTransforms: 3.1.10 → 3.1.11 ------------------------------------------ Bug fixes: - Split method cleaner_options off from scrub_html in safe_html transform. This makes it easier to monkey patch or subclass. [maurits] (#44) - REST transform: ignore warnings and stylesheet keyword arguments. They can be abused. From `Products.PloneHotfix20210518 `_. [maurits] (#3274) Products.Sessions: 4.8 → 4.9 ---------------------------- - Add support for Python 3.9 Products.SiteErrorLog: 5.4 → 5.5 -------------------------------- - Add support for Python 3.9 - Update configuration for version 5 of ``isort`` plone.app.versioningbehavior: 1.4.2 → 1.4.3 ------------------------------------------- Bug fixes: - Fix issue where versioning dynamic content types with blob fields broke after a schema update due to change in dynamic schema identifiers since plone.dexterity >= 2.10.0 [datakurre] (#57) plone.app.blocks: 4.3.2 → 5.0.0 ------------------------------- plone.app.imaging: 2.1.1 → 2.1.2 -------------------------------- Bug fixes: - Fix traversal handling of subobjects with ids that may also be image scales. [rpatterson] Products.Archetypes: 1.16.4 → 1.16.5 ------------------------------------ Bug fixes: - Fixed incompatibility with ``zope.component`` 5. ``zope.component.interfaces`` has long been a backwards compatibility import for ``zope.interface.interfaces``, but not anymore. [maurits] (#462)