[Zope3-dev] Re: Through-the-web reStructuredText

Jim Fulton jim at zope.com
Fri Jul 7 17:01:21 EDT 2006 

On Jul 7, 2006, at 4:37 PM, Tres Seaver wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Fulton wrote:
>
>> Zope 3, as releases is not affected by the security hole that
>> has plagued Zope 2, however, Michael Haubenwallner has pointed
>> out that some add-on-products, such as zwiki and bugtracker, may
>> provide TTW reST.
>
> They appear to be "safe" for the moment, but not because they
> intentionally disable file inclusion:  rather, they have a bug  
> (they set
> the 'encoding' to 'unicode', which then causes an exception).
>
> DTML Page was another possible culprit:  it too is safe for the  
> moment,
> because Z3's DTML does not have a handler for 'fmt="restructured- 
> text"'.
>  That is not really a comfort, because someday somebody is going to
> harmonize Zope2's DTML features into Zope3's DTML;  at that point  
> we are
> hosed again.

Yup, unless someone does the reST integration correctly.

>> There are 2 issues here:
>>
>> 1. That we need to warn anyone using these that there is an issue,
>>      including anyone who might be using a Zope 3 checkout in
>>     production.
>>
>> 2. I want to move these out of the main subversion tree.
>>
>> For those of you on this list, consider yourself warned.
>> We should probably send out a warning more broadly though.
>>
>> Thoughts?
>
> I think the benefit of leaving file inclusion lying around in the main
> python path's version of docutils (for benefit of notional filesystem
> ResT users) is far outweighed by the risks associated with it.  TTW  
> ReST
> is *valuable* to people:  it gets used by content authors, among  
> others.

I hear you.  I find it a hard call. It should be possible to use reST
safely without removing the feature, yet we have shown ourselves
unable to over and over again. :(

I think we need tests for any TTW reST code and those tests need to
demonstrate that file/url inclusion is disabled.

Jim

--
Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Zope3-dev mailing list