On Jul 8, 2006, at 5:38 PM, Tino Wildenhain wrote:
Jim Fulton wrote:
...
You mean auditing. Testing would not help imho. Testing only checks if expected behavior still works. And nobody expects the spanish inquisiton *wink* ;)
You can test that trying to do fil-inclusion fails.
For example if I'd were the one who would have written the naive test - I would not have known a file inclusion feature even exists or is supposed to be exposed to reST. So my test would not have tested it. So we had perfectly tests for all the reST things we want and expect but the hole would exist anyway.
I agree that testing is not enough if you don't know what to test for. It's sad that whoever enabled this didn't bother to read the docutils documentation which documents the feature and even provides warning about it's security issues: http://docutils.sourceforge.net/docs/ref/rst/ directives.html#including-an-external-document-fragment Jim -- Jim Fulton mailto:jim@zope.com Python Powered! CTO (540) 361-1714 http://www.python.org Zope Corporation http://www.zope.com http://www.zope.org