Take over changes from branch release/5.2-dev.

.gitignore

@@ -18,6 +18,7 @@
 /etc
 /experimental/develop/
 /pyvenv.cfg
+/release/.tox
 /release/constraints2.txt
 /release/constraints3*.txt
 bin

release/RELEASE-NOTES.md

@@ -1,57 +1,44 @@
-# Release notes for Plone 5.2.14
+# Release notes for Plone 5.2.15
 
-* Released: Thursday September 21, 2023
-* This is expected to be the last maintenance release.
+* Released: Thursday August 1, 2024
+* This is expected to be the last maintenance release.  Already one more than was promised.
 * Check the [release schedule](https://plone.org/download/release-schedule).
 * Read the [upgrade guide](https://5.docs.plone.org/manage/upgrading/version_specific_migration/upgrade_to_52.html), explaining the biggest changes compared to 5.1.
-* Canonical place for these [release notes](https://dist.plone.org/release/5.2.14/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/5.2.14/changelog.txt).
+* Canonical place for these [release notes](https://dist.plone.org/release/5.2.15/RELEASE-NOTES.md) and the full [packages changelog](https://dist.plone.org/release/5.2.15/changelog.txt).
 
 If you want to jump straight in, here are two important links:
 
-* With pip you can use the constraints file at [https://dist.plone.org/release/5.2.14/constraints.txt](https://dist.plone.org/release/5.2.14/constraints.txt)
-* With Buildout you can use the versions file at [https://dist.plone.org/release/5.2.14/versions.cfg](https://dist.plone.org/release/5.2.14/versions.cfg).
+* With pip you can use the constraints file at [https://dist.plone.org/release/5.2.15/constraints.txt](https://dist.plone.org/release/5.2.15/constraints.txt)
+* With Buildout you can use the versions file at [https://dist.plone.org/release/5.2.15/versions.cfg](https://dist.plone.org/release/5.2.15/versions.cfg).
 
 
 ## Highlights
 
-Major changes since 5.2.13:
-
-* This includes security fixes from today's announcement:
-  * https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
-  * https://plone.org/security/hotfix/20230921
-* `Zope`:
-  * Security fixes in `AccessControl` and `RestrictedPython`.  See [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849).
-  * Allow only some image types to be displayed inline. Force download for others, especially SVG images.
-  * Tighten down the ZMI frame source logic to only allow site-local sources.
-* `plone.namedfile`: Fix stored XSS (Cross Site Scripting) for SVG images.
-* `plone.rest`: When ``++api++`` is in the url multiple times, redirect to the proper url.
-* `plone.restapi`:
-  * Fix stored XSS (Cross Site Scripting) for SVG image in user portrait.
-* `Products.CMFCore`: Make `decodeFolderFilter` and `encodeFolderFilter` non-public.
-  This is the workaround from [CVE-2023-36814](https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87).
-* `plone.app.multilingual`:
-  * Fix various problems when using the Indonesian language in a multilingual setup.
-    This language has ``id`` as code.  This is not allowed as an id in Plone, so it has always been created as ``id-id`` instead.
-    This needs some special handling.
-  * Fix ``set_recursive_language`` to actually find child objects.  This is used to make sure that a language folder only contains content in this language.
+Major changes since 5.2.14:
+
+* `plone.recipe.zope2instance`:
+  * Add support for setting max_value_length in Sentry init.  When you use this option, you should use `sentry-sdk` 1.29.0 or higher.
+  * Add ``dos_protection`` config.  With Zope 5.8.4+ you may get ``zExceptions.BadRequest: data exceeds memory limit`` when uploading an image or file of more than 1 MB.  To increase this limit, you can add this in your instance recipe, and choose your own limit: `zope-conf-additional = <dos_protection>form-memory-limit 4MB</dos_protection>`
+* `plone.app.discussion`: Provide HCaptcha if `plone.formwidget.hcaptcha` is installed.  Apply validation for all captchas.
+* `plone.restapi`: Added `@site` and `@navroot` endpoints.
+* For the rest see the full packages changelog linked above.
 
 
 ## Last maintenance release
 
-Plone 5.2.14 is planned to be the last regular release of Plone 5.2.
-This release was originally planned for October, but we moved it forward to have the security fixes in a full release.  If there are good reasons, we can still make a new release.
+Plone 5.2.15 is planned to be the last regular release of Plone 5.2.
 
-After October 2023, Plone 5.2 is out of maintenance support.
+Plone 5.2 is actually already out of maintenance support since October 2023, but I decided it was fine to gather some last changes and release them.
 
-There is still one year of security support, until October 31, 2024.
+There is still security support, but only until October 31, 2024.
 At that moment, even Python 3.8 is out of security support by the Python community.
 
 
 ## Python compatibility
 
 This release supports Python 2.7 and 3.8.
 
-Python 3.6 and 3.7 should still work, but these are end of life and no longer supported.
+Python 3.6 and 3.7 should still work, but these are end-of-life, untested, and no longer supported.
 
 Plone 5.2 still supports Python 2.7, but this is end-of-life since 2020.  It should only be used as a temporary stepping stone before you migrate your Plone site to Python 3.
 
@@ -77,13 +64,23 @@ wheel==0.38.4
 In general you are free to use whatever versions work for you, especially newer ones, but these worked for us.
 
 Note that `setuptools` 66 is more strict with what versions it can recognize.  If you run `pip` or `buildout` and it suddenly cannot find a package with a non-standard version, then this may be the cause.  This is why we stayed at version 65 for Plone 5.2.
+`setuptools` 70 will cause problems with current `zc.buildout` 3.0.1, so keep your eyes out for a new `zc.buildout` release.
 
 
 ## Installation
 
 For installation instructions, see the [documentation](https://5.docs.plone.org/manage/installing/index.html).
 
-There is still a [Unified Installer](https://launchpad.net/plone/5.2/5.2.14).  One warning there: we could no longer test this on Python 2.7.  It *should* work though.
+There is still a [Unified Installer](https://launchpad.net/plone/5.2/5.2.15).  One warning there: we could no longer test this on Python 2.7.  It *should* work though.
+
+For previous Plone 5.2 patch releases we always added all used package distributions on the dist.plone.org server, so you could use this as a "find-link" in Buildout or pip.
+This was a historical practice, mostly to have a fallback when a distribution of a third party package was removed from the Python Package Index.
+This problem hardly ever happens anymore, so the added value of uploading these distributions is questionable.
+It turned out to be harder to gather all packages, so I abandoned it.
+If you somehow need this, it should work fine to add the directory of the previous release to the find-links:
+https://dist.plone.org/release/5.2.14/
+Only a few packages have different versions in 5.2.15.
+
 
 ## Issues
 

release/changelog.txt

@@ -1,101 +1,120 @@
-Zope 4.8.7 → 4.8.10
--------------------
-
-- Allow only some image types to be displayed inline. Force download for others, especially SVG images. By default we use a list of allowed types. You can switch a to a list of denied types by setting OS environment variable OFS_IMAGE_USE_DENYLIST=1. You can override the allowed list with environment variable ALLOWED_INLINE_MIMETYPES and the disallowed list with DISALLOWED_INLINE_MIMETYPES. Separate multiple entries by either comma or space. This change only affects direct URL access. <img src="image.svg" /> works the same as before. (CVE-2023-42458) See security advisory.
-- Tighten down the ZMI frame source logic to only allow site-local sources. Problem reported by Miguel Segovia Gil.
-- Update RestrictedPython to version 5.4 to fix a potential a security issue. (CVE-2023-41039)
-- Update AccessControl to version 4.4 to fix a potential a security issue. (CVE-2023-41050)
-- Sanitize tainting fixing #1095
-- Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
-- Only set response header Content-Type as text/html on exception views when the response has content. (#1089)
-Update dependencies to the latest releases for each supported Python version.
-
-plone.recipe.zope2instance: 6.12.0 → 6.12.1
+plone.recipe.zope2instance: 6.12.1 → 6.13.0
 -------------------------------------------
-Documentation:
+New features:
 
-- Update README: for ``RotatingFileHandler`` ``maxCount`` is not a valid keyword argument.
-  Use ``backupCount``.
-  [gforcada] (#190)
+- Add support for setting max_value_length in Sentry init.
+  When you use this option, you should use `sentry-sdk` 1.29.0 or higher.
+  [gyst] (#193)
 
+- Add ``dos_protection`` config.
+  With Zope 5.8.4+ you may get ``zExceptions.BadRequest: data exceeds memory limit`` when uploading an image or file of more than 1 MB.
+  To increase this limit, you can add this in your instance recipe, and choose your own limit::
 
-plone.releaser: 1.8.8 → 1.8.9
------------------------------
-Bug fixes:
+    zope-conf-additional =
+      <dos_protection>
+        form-memory-limit 4MB
+      </dos_protection>
+
+  [@mamico] (#191)
 
-- Allow disabling PyPI rights check, as this does not know how to check organisations.
-  Set env variable ``PLONE_RELEASER_CHECK_PYPI_ACCESS=0`` if you want to disable it.
-  Also, we do not check PyPI if the user is `__token__`, so using an API token.
-  [maurits] (#50)
+Tests
 
-- Fix missing changelog entries when running ``bin/manage changelog``.
-  [maurits] (#60)
+- Update tox to support python 3.10 and 3.11. (#193)
 
 
-Plone: 5.2.13 → 5.2.14
+Plone: 5.2.14 → 5.2.15
 ----------------------
 Bug fixes:
 
-- Release Plone 5.2.14.
+- Release Plone 5.2.15.
   [maurits]
 
 
-plone.app.multilingual: 5.6.4 → 5.6.6
--------------------------------------
+plone.app.discussion: 3.4.7 → 3.4.9
+-----------------------------------
+New features:
+
+- Provide HCaptcha if plone.formwidget.hcaptcha is installed.  @ksuess (#230)
+
 Bug fixes:
 
-- Fix setting Indonesian language cookie on site root: must be ``id``, not ``id-id``.
-  [maurits] (#304)
+- Apply validation for all captchas. @ksuess (#233)
 
-- Fix ``set_recursive_language`` to actually find child objects.
-  [maurits] (#304)
 
-- Root language switcher: redirect to ``id-id`` if the Indonesian language is preferred.
-  [maurits] (#304)
+plone.app.linkintegrity: 3.6.1 → 3.6.2
+--------------------------------------
+Bug fixes:
 
-- Do not unset the language on the Indonesian root language folder when saving the control panel.
-  This language has ``id`` as code.  This is not allowed as an id in Plone, so it is created as ``id-id`` instead.
-  This needs some special handling.
-  Added upgrade to recursively fix this language folder to set the Indonesian language.  This is only done when the folder itself has the wrong language.
-  [maurits] (#304)
+- Report sources once per breach in delete_confirmation_info.
+  [jaroel] (#95)
 
 
-plone.app.upgrade: 2.1.6 → 2.1.7
+plone.app.locales: 5.1.33 → 5.1.34
+----------------------------------
+- Update Portuguese translation
+  [ksuess]
+
+
+plone.app.upgrade: 2.1.7 → 2.1.8
 --------------------------------
 Bug fixes:
 
-- Added upgrade to 5222, Plone 5.2.14.
-  [maurits] (#5222)
+- Added upgrade to 5223, Plone 5.2.15.
+  [maurits] (#5223)
 
 
-plone.namedfile: 5.6.0 → 5.6.1
-------------------------------
+plone.app.z3cform: 3.2.4 → 3.2.5
+--------------------------------
 Bug fixes:
 
-- Fix stored XSS (Cross Site Scripting) for SVG images.
-  Done by forcing a download instead of displaying inline.
-  See `security advisory <https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x>`_.
-  [maurits] (#1)
+- Make labels/legends of fieldsets translatable.
+  [ksuess] (#87)
 
 
-plone.restapi: 7.8.2 → 7.8.3
+plone.restapi: 7.8.3 → 7.9.0
 ----------------------------
-Bug fixes:
-
-- Fix content serializer with an old version of an item that was renamed. @davisagli (#1651)
+New features:
 
+- Added `@site` and `@navroot` endpoints. @erral (#1464)
 
-Products.CMFCore: 2.7.0 → 2.7.1
--------------------------------
-- Make ``decodeFolderFilter`` and ``encodeFolderFilter`` non-public.
-  This is the workaround from `CVE-2023-36814 <https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87>`_.
+- New version pins to run tests
+  [erral] (#1721)
 
 
-Products.CMFPlone: 5.2.13 → 5.2.14
+Products.CMFPlone: 5.2.14 → 5.2.15
 ----------------------------------
 Bug fixes:
 
-- Update metadata version to 5222, Plone 5.2.14.
-  [maurits] (#5222)
+- Check for container field / attribute when trying to create content with same id
+  [laulaz] (#3847)
 
+- Fix problem when adding a Plone site with a custom INonInstallable utility without a getNonInstallableProfiles method. (#3862)
+
+- Update metadata version to 5223, Plone 5.2.15.
+  [maurits] (#5223)
+
+
+plone.app.debugtoolbar: 1.3.0 → 1.4.0
+-------------------------------------
+New features:
+
+- Added more improvements about i18n support [macagua]
+
+  Updated Spanish translation [macagua]
+
+  Updated the documentation [macagua]
+
+  Upgraded the buildout configuration to Plone 6.0 version [macagua] (#31)
+
+
+plone.app.blocks: 5.2.1 → 5.2.2
+-------------------------------
+
+- No longer test on Python 3.7 or on Plone 6.0.
+  For Plone 6 you can use version 7 or higher.
+  Plone 5.1 is officially still supported, and Python 2.7 as well.
+  [maurits]
 
+- Fix for AttributeError in linkintegrity code when pasting a folder containing a page with tiles.
+  Related to `issue 97 <https://github.com/plone/plone.app.blocks/issues/97>`_.
+  [cillianderoiste]

release/constraints.txt

@@ -25,7 +25,7 @@ Paste==3.5.2
 PasteDeploy==2.1.1; python_version < "3.0"
 PasteDeploy==3.0.1; python_version >= "3.0"
 Persistence==3.6
-Plone==5.2.14
+Plone==5.2.15
 Products.ATContentTypes==3.0.7; python_version < "3.0"
 Products.Archetypes==1.16.6; python_version < "3.0"
 Products.BTreeFolder2==4.4
@@ -35,7 +35,7 @@ Products.CMFDynamicViewFTI==6.0.3
 Products.CMFEditions==3.3.5
 Products.CMFFormController==4.1.4
 Products.CMFPlacefulWorkflow==2.0.4
-Products.CMFPlone==5.2.14
+Products.CMFPlone==5.2.15
 Products.CMFQuickInstallerTool==4.0.4
 Products.CMFUid==3.5
 Products.DCWorkflow==2.7.0
@@ -223,7 +223,7 @@ platformdirs==2.0.2
 plone.alterego==1.1.5
 plone.api==1.11.1
 plone.app.blob==1.8.2; python_version < "3.0"
-plone.app.blocks==5.2.1
+plone.app.blocks==5.2.2
 plone.app.caching==2.2.1
 plone.app.collection==1.2.8; python_version < "3.0"
 plone.app.content==3.8.10
@@ -233,9 +233,9 @@ plone.app.contentrules==4.1.6
 plone.app.contenttypes==2.2.3
 plone.app.controlpanel==4.0.1; python_version < "3.0"
 plone.app.customerize==1.3.12
-plone.app.debugtoolbar==1.3.0
+plone.app.debugtoolbar==1.4.0
 plone.app.dexterity==2.6.11
-plone.app.discussion==3.4.7
+plone.app.discussion==3.4.9
 plone.app.drafts==1.1.3
 plone.app.event==3.2.14
 plone.app.folder==1.3.2
@@ -244,8 +244,8 @@ plone.app.imaging==2.1.2; python_version < "3.0"
 plone.app.intid==1.1.4
 plone.app.iterate==4.0.3
 plone.app.layout==3.5.2
-plone.app.linkintegrity==3.6.1
-plone.app.locales==5.1.33
+plone.app.linkintegrity==3.6.2
+plone.app.locales==5.1.34
 plone.app.lockingbehavior==1.0.7
 plone.app.mosaic==2.2.5
 plone.app.multilingual==5.6.6
@@ -261,15 +261,15 @@ plone.app.testing==6.1.9
 plone.app.textfield==1.3.7
 plone.app.theming==4.1.8
 plone.app.tiles==3.3.0
-plone.app.upgrade==2.1.7
+plone.app.upgrade==2.1.8
 plone.app.users==2.6.8
 plone.app.uuid==2.0.2
 plone.app.versioningbehavior==1.4.6
 plone.app.viewletmanager==3.1.3
 plone.app.vocabularies==4.3.0
 plone.app.widgets==3.0.7
 plone.app.workflow==4.0.4
-plone.app.z3cform==3.2.4
+plone.app.z3cform==3.2.5
 plone.autoform==1.9.1
 plone.batching==1.1.7
 plone.behavior==1.4.0
@@ -304,14 +304,14 @@ plone.recipe.alltests==1.5.2
 plone.recipe.command==1.1
 plone.recipe.precompiler==0.7.2
 plone.recipe.zeoserver==2.0.3
-plone.recipe.zope2instance==6.12.1
+plone.recipe.zope2instance==6.13.0
 plone.registry==1.2.1
 plone.releaser==1.8.9
 plone.reload==3.0.2
 plone.resource==2.1.4
 plone.resourceeditor==3.0.4
 plone.rest==1.6.2
-plone.restapi==7.8.3
+plone.restapi==7.9.0
 plone.rfc822==2.0.2
 plone.scale==3.1.2
 plone.schema==1.4.0