statusmessages uses dangerous code to encode and decode the cookie value

[hannosch]

The current code for encoding the value into the cookie is potentially dangerous. Since the 3.0 compliant release, we translate the statusmessages before putting them into the cookie, so all we need is a way to encode a list of (message, type) tuples where both are unicode strings. This should be much easier to do than the 2.5 code which has a list of (Message object, type) tuples.

A small xml snippet would probably work or some simple variation of a somewhat separated list (for example message#type|message#type...) but quoting of the separator characters needs to be done properly. For the xml snippet size constraints for the cookie might interfere and some kind of compression might be needed as well...

[hannosch]

This issue has turned out to be a real security issue and has been assigned CVE-2007-5741 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5741). There is a hotfix available at  http://plone.org/products/plone-hotfix/releases/20071106 which you should install immediately.

The issue is fixed in the statusmessages 2.0.2 and 3.0.2 release which will be included in Plone 2.5.5 and Plone 3.0.3.