Per chiarimenti sulla questione del BLOB basta chiedere al Sauzher che l'ha "sgamato" :)<div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Information for security researchers<br>Impact Subscore: 4.9<br>Exploitability Subscore: 10<br>Overall CVSS Score: 5<br>Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P/E:P/RL:O/RC:C)<br>CWE: CWE-306<br>Credit: Alessandro SauZheR</blockquote>
<div><br></div><div>Vito<br><br><div class="gmail_quote">2012/11/7 Yuri <span dir="ltr"><<a href="mailto:yurj@alfa.it" target="_blank">yurj@alfa.it</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<a href="http://plone.org/products/plone/security/advisories/20121106" target="_blank">http://plone.org/products/<u></u>plone/security/advisories/<u></u>20121106</a><br>
<br>
qui ci sono tutti i problemi fissati dall'hotfix. Alcuni sono paranoici nei casi normali (quanti utenti reali non sicuri abbiamo che scrivono python script?), l'unico degno di nota, mi pare, č questo:<br>
<br>
<a href="http://plone.org/products/plone/security/advisories/20121106/17" target="_blank">http://plone.org/products/<u></u>plone/security/advisories/<u></u>20121106/17</a><br>
<br>
BLOBs stored on custom content types can be accessed through a non-standard URL, bypassing the declared permission check<br>
<br>
Anonymous users can use a crafted URL to illegitimately download Files and Images.  Thanks to Karl Johan Kleist who found that this had been incorrectly reported, and let the security team know.<br>
<br>
===============<br>
<br>
Penso quindi che l'unico problema "vero" sia questo. Dal fix mi pare che il field sia accessibile tramite il suo metodo index_html. Quindi da url web in qualche modo si arriva al field e da lė il metodo permette di scaricare il file, indipendentemente dai permessi.<br>

<br>
Concordate?<br>
<br>
______________________________<u></u>_________________<br>
Plone-IT mailing list<br>
<a href="mailto:Plone-IT@lists.plone.org" target="_blank">Plone-IT@lists.plone.org</a><br>
<a href="https://lists.plone.org/mailman/listinfo/plone-plone-it" target="_blank">https://lists.plone.org/<u></u>mailman/listinfo/plone-plone-<u></u>it</a><br>
<a href="http://plone-regional-forums.221720.n2.nabble.com/Plone-Italy-f221721.html" target="_blank">http://plone-regional-forums.<u></u>221720.n2.nabble.com/Plone-<u></u>Italy-f221721.html</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><b>Vito Falco</b><br>Webdeveloper & designer freelance, Plone <span style="font-family:arial,sans-serif;font-size:13px;white-space:nowrap;background-color:rgb(255,255,255)">enthusiast</span> </div>
<div>Bari, IT</div><div>tel +39 3346330137 | skype vito80ba | twitter vito80ba</div><div>Blog <a href="http://appuntiplone.wordpress.com/" target="_blank">http://appuntiplone.wordpress.com</a> </div><br>
</div></div>