[Checkins] SVN: Products.Hotfix_20060705/ Hotfix for docutils vulnerability.

Tres Seaver tseaver at palladion.com
Wed Jul 5 16:39:48 EDT 2006 

Log message for revision 68986:
  Hotfix for docutils vulnerability.
  

Changed:
  A   Products.Hotfix_20060705/
  A   Products.Hotfix_20060705/README.txt
  A   Products.Hotfix_20060705/__init__.py
  A   Products.Hotfix_20060705/version.txt

-=-
Added: Products.Hotfix_20060705/README.txt
===================================================================
--- Products.Hotfix_20060705/README.txt	2006-07-05 20:26:25 UTC (rev 68985)
+++ Products.Hotfix_20060705/README.txt	2006-07-05 20:39:48 UTC (rev 68986)
@@ -0,0 +1,18 @@
+Hotfix-20060705 README
+======================
+
+This hotfix corrects an information disclosure vulnerability in Zope2, due to Zope2's
+use of the docutils module to parse and rend "restructured text".
+
+Sites which allow untrusted users to create restructured text as through-the-web
+content should upgrade to a version of Zope2 more recent than this hotfix.
+
+Affected Versions
+-----------------
+
+  - Zope 2.7.0 - 2.7.8
+
+  - Zope 2.8.0 - 2.8.7
+
+  - Zope 2.9.0 - 2.9.2
+


Property changes on: Products.Hotfix_20060705/README.txt
___________________________________________________________________
Name: svn:eol-style
   + native

Added: Products.Hotfix_20060705/__init__.py
===================================================================
--- Products.Hotfix_20060705/__init__.py	2006-07-05 20:26:25 UTC (rev 68985)
+++ Products.Hotfix_20060705/__init__.py	2006-07-05 20:39:48 UTC (rev 68986)
@@ -0,0 +1,10 @@
+""" Hotfix_20060705
+
+Disable reStructuredText's 'raw' and 'include' directives, because they allow
+for information disclosuer and other nastiness.
+
+$Id$
+"""
+from docutils.parsers.rst.directives import misc
+del misc.raw
+del misc.include;


Property changes on: Products.Hotfix_20060705/__init__.py
___________________________________________________________________
Name: svn:keywords
   + Id
Name: svn:eol-style
   + native

Added: Products.Hotfix_20060705/version.txt
===================================================================
--- Products.Hotfix_20060705/version.txt	2006-07-05 20:26:25 UTC (rev 68985)
+++ Products.Hotfix_20060705/version.txt	2006-07-05 20:39:48 UTC (rev 68986)
@@ -0,0 +1 @@
+Hotfix_20060705


Property changes on: Products.Hotfix_20060705/version.txt
___________________________________________________________________
Name: svn:eol-style
   + native

More information about the Checkins mailing list