automatic import of python-products-plonehotfix20210518

3 files changed, 168 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index e69de29..bcbb957 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/Products.PloneHotfix20210518-1.6.tar.gz
diff --git a/python-products-plonehotfix20210518.spec b/python-products-plonehotfix20210518.spec
new file mode 100644
index 0000000..d280fbc
--- /dev/null
+++ b/python-products-plonehotfix20210518.spec
@@ -0,0 +1,166 @@
+%global _empty_manifest_terminate_build 0
+Name:		python-Products.PloneHotfix20210518
+Version:	1.6
+Release:	1
+Summary:	Various Plone hotfixes, 2021-05-18
+License:	GPL
+URL:		https://plone.org/security/hotfix/20210518
+Source0:	https://mirrors.nju.edu.cn/pypi/web/packages/84/82/4cbd7bab685000b7a4df20745886f752cbece8bb2dcc5ceede9ba2a0ef62/Products.PloneHotfix20210518-1.6.tar.gz
+BuildArch:	noarch
+
+Requires:	python3-setuptools
+
+%description
+This hotfix fixes several security issues:
+- Remote Code Execution via traversal in expressions via aliases.
+  Reported by David Miller.
+- Remote Code Execution via traversal in expressions (no aliases).
+  Reported by Calum Hutton.
+- Remote Code Execution via traversal in expressions via string formatter.
+  Reported by David Miller.
+- Writing arbitrary files via docutils and Python Script.
+  Reported by Calum Hutton.
+- Stored XSS from file upload (svg, html).
+  Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
+- XSS vulnerability in CMFDiffTool.
+  Reported by Igor Margitich.
+- Reflected XSS in various spots.
+  Reported by Calum Hutton.
+- Various information disclosures: GS, QI, all_users.
+  Reported by Calum Hutton.
+- Stored XSS from user fullname.
+  Reported by Tino Kautschke.
+- Blind SSRF via feedparser accessing an internal URL.
+  Reported by Subodh Kumar Shree.
+- Server Side Request Forgery via event ical URL.
+  Reported by MisakiKata and David Miller.
+- Server Side Request Forgery via lxml parser.
+  Reported by MisakiKata and David Miller.
+- XSS in folder contents on Plone 5.0 and higher.
+  Reported by Matt Moreschi.
+  Only included since version 1.5 of the hotfix.
+- Remote Code Execution via Python Script.
+  Reported by Calum Hutton.
+  Only Plone 5.2 on Python 3 is vulnerable.
+  Only included since version 1.6 of the hotfix.
+
+%package -n python3-Products.PloneHotfix20210518
+Summary:	Various Plone hotfixes, 2021-05-18
+Provides:	python-Products.PloneHotfix20210518
+BuildRequires:	python3-devel
+BuildRequires:	python3-setuptools
+BuildRequires:	python3-pip
+%description -n python3-Products.PloneHotfix20210518
+This hotfix fixes several security issues:
+- Remote Code Execution via traversal in expressions via aliases.
+  Reported by David Miller.
+- Remote Code Execution via traversal in expressions (no aliases).
+  Reported by Calum Hutton.
+- Remote Code Execution via traversal in expressions via string formatter.
+  Reported by David Miller.
+- Writing arbitrary files via docutils and Python Script.
+  Reported by Calum Hutton.
+- Stored XSS from file upload (svg, html).
+  Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
+- XSS vulnerability in CMFDiffTool.
+  Reported by Igor Margitich.
+- Reflected XSS in various spots.
+  Reported by Calum Hutton.
+- Various information disclosures: GS, QI, all_users.
+  Reported by Calum Hutton.
+- Stored XSS from user fullname.
+  Reported by Tino Kautschke.
+- Blind SSRF via feedparser accessing an internal URL.
+  Reported by Subodh Kumar Shree.
+- Server Side Request Forgery via event ical URL.
+  Reported by MisakiKata and David Miller.
+- Server Side Request Forgery via lxml parser.
+  Reported by MisakiKata and David Miller.
+- XSS in folder contents on Plone 5.0 and higher.
+  Reported by Matt Moreschi.
+  Only included since version 1.5 of the hotfix.
+- Remote Code Execution via Python Script.
+  Reported by Calum Hutton.
+  Only Plone 5.2 on Python 3 is vulnerable.
+  Only included since version 1.6 of the hotfix.
+
+%package help
+Summary:	Development documents and examples for Products.PloneHotfix20210518
+Provides:	python3-Products.PloneHotfix20210518-doc
+%description help
+This hotfix fixes several security issues:
+- Remote Code Execution via traversal in expressions via aliases.
+  Reported by David Miller.
+- Remote Code Execution via traversal in expressions (no aliases).
+  Reported by Calum Hutton.
+- Remote Code Execution via traversal in expressions via string formatter.
+  Reported by David Miller.
+- Writing arbitrary files via docutils and Python Script.
+  Reported by Calum Hutton.
+- Stored XSS from file upload (svg, html).
+  Reported separately by Emir Cüneyt Akkutlu and Tino Kautschke.
+- XSS vulnerability in CMFDiffTool.
+  Reported by Igor Margitich.
+- Reflected XSS in various spots.
+  Reported by Calum Hutton.
+- Various information disclosures: GS, QI, all_users.
+  Reported by Calum Hutton.
+- Stored XSS from user fullname.
+  Reported by Tino Kautschke.
+- Blind SSRF via feedparser accessing an internal URL.
+  Reported by Subodh Kumar Shree.
+- Server Side Request Forgery via event ical URL.
+  Reported by MisakiKata and David Miller.
+- Server Side Request Forgery via lxml parser.
+  Reported by MisakiKata and David Miller.
+- XSS in folder contents on Plone 5.0 and higher.
+  Reported by Matt Moreschi.
+  Only included since version 1.5 of the hotfix.
+- Remote Code Execution via Python Script.
+  Reported by Calum Hutton.
+  Only Plone 5.2 on Python 3 is vulnerable.
+  Only included since version 1.6 of the hotfix.
+
+%prep
+%autosetup -n Products.PloneHotfix20210518-1.6
+
+%build
+%py3_build
+
+%install
+%py3_install
+install -d -m755 %{buildroot}/%{_pkgdocdir}
+if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
+if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
+if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
+if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
+pushd %{buildroot}
+if [ -d usr/lib ]; then
+	find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/lib64 ]; then
+	find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/bin ]; then
+	find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+if [ -d usr/sbin ]; then
+	find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
+fi
+touch doclist.lst
+if [ -d usr/share/man ]; then
+	find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
+fi
+popd
+mv %{buildroot}/filelist.lst .
+mv %{buildroot}/doclist.lst .
+
+%files -n python3-Products.PloneHotfix20210518 -f filelist.lst
+%dir %{python3_sitelib}/*
+
+%files help -f doclist.lst
+%{_docdir}/*
+
+%changelog
+* Mon May 29 2023 Python_Bot <Python_Bot@openeuler.org> - 1.6-1
+- Package Spec generated
diff --git a/sources b/sources
new file mode 100644
index 0000000..c4e6088
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+d4474940842e9d50aa0d0b64263ba4f8  Products.PloneHotfix20210518-1.6.tar.gz