-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Fulton wrote:
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote: ...
I'll note that tests wouldn't have helped here in the absence of a more careful security review of docutils: none of us was aware of the 'raw' directive as an attack vector for file inclusion until you mentioned it the other day.
Except that, as you discovered, it was *not* an attack vector. setting file_insertion_enabled to False disables file insertion via the raw directive too. The real problem was that you could still use the include directive to include files via DTML and Plone. We didn't have a test to demonstrate that you couldn't use file insertion from DTML. And, obviously, the author of the Plone feature didn't have tests either.
I agree that tests are not enough. The person who brought this issue up at EuroPython had a good point that whenever we use 3rd-party code, we need to consider it's security implications. We didn't even read the documentation for reST when we incorporated this feature.
I think we picked up the feature (file inclusion) unnoticed in an upgrade (but could be wrong). Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEsQf/+gerLs4ltQ4RAnXuAJ0QCeVnsG2XDzUFnYP9ffxr4Ab1ZwCgtvJ+ H4/5PeonI01DXMoy9+DskK0= =m94+ -----END PGP SIGNATURE-----