pip: 26.1.1 → 26.1.2 -------------------- Plone: 6.2.0 → 6.2.1 -------------------- - Prepare release. [maurits] plone.api: 3.0.0 → 3.0.2 ------------------------ Bug fixes: - The `@required_parameters` decorator can work with arguments that do not have a default. @ale-rt #248 - Clean up. @ale-rt #592 Internal: - Add typing annotations [@ale-rt] - Remove redundant and deprecated pull request preview build workflow. @stevepiercy - Update configuration files @plone plone.app.contenttypes: 5.0.0 → 5.0.1 ------------------------------------- Bug fixes: - Restrict title to 1024 and description to 10000. This is for images and files. For others, a similar change is done in ``plone.app.dexterity``. See `security advisory `_. [maurits] Internal: - Update configuration files. [plone devs] plone.app.dexterity: 5.0.0 → 5.0.1 ---------------------------------- Bug fixes: - Added ``max_length`` constraints to the ``title`` (1024 characters) and ``description`` (10000 characters) fields of the ``IBasic`` behavior. Very long values slow down the site because these fields are rendered in listings, navigation, and the management interface. Developers who need higher limits can override the fields in a downstream package:: from plone.app.dexterity.behaviors.metadata import IBasic IBasic["title"].max_length = 5000 # or None to remove the limit IBasic["description"].max_length = 50000 # same pattern for description Place this in your package's ``__init__.py`` or any other Python module loaded at startup. See `security advisory `_. (#433) plone.app.event: 6.0.0 → 6.0.1 ------------------------------ Bug fixes: - Security: harden the icalendar import to prevent denial of service and stored XSS. - Be more strict in which urls we accept. - Check for timeout and limit the number of bytes. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_SIZE_BYTES``, default 500000. - Add limit to how many events can be imported via ical. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_EVENTS``, default 366. - Use transaction savepoints instead of a commit per event. - Check that event urls (via import or normal edit) are valid, for example no ``javascript`` urls. [maurits] - Be more strict in which urls we accept. - Check for timeout and limit the number of bytes. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_SIZE_BYTES``, default 500000. - Add limit to how many events can be imported via ical. Get this limit from environment variable ``MAXIMUM_ICAL_IMPORT_EVENTS``, default 366. - Use transaction savepoints instead of a commit per event. - Check that event urls (via import or normal edit) are valid, for example no ``javascript`` urls. plone.app.layout: 6.0.1 → 6.0.2 ------------------------------- Bug fixes: - Take into account the value of request parameter page for caching the generated sitemap @erral plone.app.locales: 7.0.2 → 7.0.3 -------------------------------- New features: - Add translations for pat-filemanager @MrTango @petshki plone.app.multilingual: 9.0.0 → 9.0.1 ------------------------------------- Tests: - Add functional test to ensure that adding a new language to the list of supported languages correctly creates the corresponding Language Root Folder immediately. [erral] (#543) plone.app.portlets: 7.0.0 → 7.0.2 --------------------------------- Bug fixes: - Fix TALES expression injection (remote code execution) in the Classic portlet. The user-supplied ``template`` and ``macro`` fields are now validated against a strict whitelist that forbids TALES metacharacters (notably ``:`` and ``|``), so they can no longer be turned into a TALES expression with a ``python:`` type or a ``|`` fallback chain when passed to the TAL ``path()`` helper. Validation is enforced both on the add/edit form fields and again at render time (for assignments created programmatically). Reported by Giuseppe Caruso (giuseppe.caruso@betrusted.it) (GHSA-rr49-f9g6-c9r5). (ghsa-rr49-f9g6-c9r5) - RSS portlet: fix passing last modified header. [maurits] - Security fixes in RSS portlet. - Be strict in which RSS feed urls we accept in the RSS portlet. Only http/https urls. Refuse internal IP addresses, single word domains, and port numbers, to avoid abuse as port scanner. - Refuse downloading gigantic RSS feeds, to avoid denial of service attack. You can influence this by setting environment variable ``MAXIMUM_RSS_FEED_SIZE_BYTES``. Default maximum is 1 million. See `security advisory `_. [maurits] - Be strict in which RSS feed urls we accept in the RSS portlet. Only http/https urls. Refuse internal IP addresses, single word domains, and port numbers, to avoid abuse as port scanner. - Refuse downloading gigantic RSS feeds, to avoid denial of service attack. You can influence this by setting environment variable ``MAXIMUM_RSS_FEED_SIZE_BYTES``. Default maximum is 1 million. Documentation: - Document the @@render-portlet view. Documentation about the @@render-portlet view, which can be used to reload a portlet via AJAX. @thet plone.app.testing: 8.0.0 → 8.0.1 -------------------------------- Bug fixes: - Use ``plone.base.utils`` instead of ``Products.CMFPlone.utils`` when deprecated. No longer pass deprecated ``setup_content=False`` to ``addPloneSite`` call. [maurits] plone.app.textfield: 4.0.0 → 4.0.1 ---------------------------------- Bug fixes: - Security: Always sanitize RichText output for safe-HTML output type. See https://github.com/plone/plone.app.textfield/security/advisories/GHSA-4r4f-gg25-rmg5 @gyst plone.app.upgrade: 4.0.0 → 4.1.0 -------------------------------- New features: - Add structure for upgrade steps for Plone 6.3. [maurits] Internal: - Added upgrade to 6204, Plone 6.2.1. [maurits] - Added upgrade to 6300, Plone 6.3.0a1. [maurits] plone.base: 4.0.0 → 4.0.1 ------------------------- Bug fixes: - Add sizes attribute to allowed picture variants [MrTango] (#180) - Remove deprecation warning for `Batch.__len__` again. Calling this method is simply unavoidable. [maurits] (#3176) Internal: - Update configuration files. [plone devs] plone.namedfile: 8.0.0 → 8.1.0 ------------------------------ New features: - allow to set lazy to false, to suppress the loading="lazy" attribute [MrTango] (#180) Bug fixes: - set sizes attribute on picture-tags [MrTango] (#179) plone.outputfilters: 6.0.0 → 6.0.1 ---------------------------------- Bug fixes: - allow sizes attribute in picture tags, see https://github.com/plone/plone.namedfile/pull/180 [MrTango] (#180) plone.portlet.collection: 5.0.0 → 5.0.1 --------------------------------------- Internal: - Update configuration files. [plone devs] plone.registry: 3.0.0 → 3.0.1 ----------------------------- Bug fixes: - Invalidate the request cache for a record before firing the IRecordModifiedEvent to ensure subscribers see the new value. [erral] (cache_invalidation) plone.restapi: 10.0.0 → 10.0.2 ------------------------------ Bug fixes: - Make the `@site` endpoint public, so that anonymous requests get the site bootstrap data even on sites that require authentication to view content. @reebalazs #2022 - Fix warnings about `utcnow` and a short HMAC secret in tests. @davisagli - Security: in rich text fields, do not accept input that claims it is already sanitized. Specifically, raise a ValueError when deserializing a text field with input mimetype `text/x-html-safe`. See https://github.com/plone/plone.restapi/security/advisories/GHSA-8rqh-vxpr-x77p @gyst Internal: - Replace `getAdapter(context, ISecuritySchema)` with `registry.forInterface(ISecuritySchema, prefix="plone")` in user services. @jensens #2011 - Remove redundant and deprecated pull request preview build workflow. @stevepiercy plone.staticresources: 3.0.0 → 3.0.2 ------------------------------------ Bug fixes: - Update mockup=5.6.7. See https://github.com/plone/mockup/releases/tag/5.6.7 @petschki - Update mockup=5.6.5. See https://github.com/plone/mockup/releases/tag/5.6.5 Update mockup=5.6.6. See https://github.com/plone/mockup/releases/tag/5.6.6 @petschki Internal: - Upgrade to pnpm v11 plone.volto: 6.0.0 → 6.0.1 -------------------------- Bug fixes: - Create savepoints instead of transactions in the `reindex_block_types` upgrade step. @davisagli Products.CMFPlone: 6.2.0 → 6.2.1 -------------------------------- Bug fixes: - Always allow access to the scripts and styles viewlets. Otherwise the site may look ugly when you don't have access to the context. @mauritsvanrees #4239 - Import from `plone.base.utils` instead of `Products.CMFPlone.utils` where possible. @mauritsvanrees Internal: - Replace BBB ``getAdapter`` calls with ``registry.forInterface()`` in usergroups control panel. @jensens #1050 - Updated metadata version to 6204. @mauritsvanrees icalendar: 7.1.1 → 7.2.0 ------------------------ - Added type hints to all methods in the module :mod:`~icalendar.error`. @Priyanshu-pulak (`Issue #938 `_) - Comparing components with ``Component.__eq__`` is no longer exponential in the subcomponent nesting depth, removing a denial-of-service vector where a deeply nested component could take minutes to compare. See `GHSA-cv84-9p8j-fj68 `_. @tidusec - Update maintenance documentation. Fix the version switcher on "stable" on Read the Docs. @stevepiercy (`Issue #1352 `_) zest.releaser: 9.9.0 → 9.9.1 ---------------------------- cryptography: 47.0.0 → 48.0.1 ----------------------------- PyJWT: 2.12.1 → 2.13.0 ---------------------- robotframework-assertion-engine: 3.0.3 → 5.0.1 ---------------------------------------------- robotframework-browser: 19.10.1 → 20.0.0 ---------------------------------------- robotframework-pythonlibcore: 4.4.1 → 4.6.0 ------------------------------------------- robotframework-seleniumlibrary: 6.8.0 → 6.9.0 --------------------------------------------- selenium: 4.9.1 → 4.44.0 ------------------------