[Zope3-dev] Re: Through-the-web reStructuredText
Jim Fulton
jim at zope.com
Fri Jul 7 17:01:21 EDT 2006
On Jul 7, 2006, at 4:37 PM, Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Fulton wrote:
>
>> Zope 3, as releases is not affected by the security hole that
>> has plagued Zope 2, however, Michael Haubenwallner has pointed
>> out that some add-on-products, such as zwiki and bugtracker, may
>> provide TTW reST.
>
> They appear to be "safe" for the moment, but not because they
> intentionally disable file inclusion: rather, they have a bug
> (they set
> the 'encoding' to 'unicode', which then causes an exception).
>
> DTML Page was another possible culprit: it too is safe for the
> moment,
> because Z3's DTML does not have a handler for 'fmt="restructured-
> text"'.
> That is not really a comfort, because someday somebody is going to
> harmonize Zope2's DTML features into Zope3's DTML; at that point
> we are
> hosed again.
Yup, unless someone does the reST integration correctly.
>> There are 2 issues here:
>>
>> 1. That we need to warn anyone using these that there is an issue,
>> including anyone who might be using a Zope 3 checkout in
>> production.
>>
>> 2. I want to move these out of the main subversion tree.
>>
>> For those of you on this list, consider yourself warned.
>> We should probably send out a warning more broadly though.
>>
>> Thoughts?
>
> I think the benefit of leaving file inclusion lying around in the main
> python path's version of docutils (for benefit of notional filesystem
> ResT users) is far outweighed by the risks associated with it. TTW
> ReST
> is *valuable* to people: it gets used by content authors, among
> others.
I hear you. I find it a hard call. It should be possible to use reST
safely without removing the feature, yet we have shown ourselves
unable to over and over again. :(
I think we need tests for any TTW reST code and those tests need to
demonstrate that file/url inclusion is disabled.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list