-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Fulton wrote:
On Jul 8, 2006, at 10:09 AM, Andreas Jung wrote:
--On 8. Juli 2006 09:53:47 -0400 Jim Fulton <jim@zope.com> wrote:
...
Tres came up with this sledge hammer because he has no confidence in people's willingness to test and implement this feature properly.
I am fine with the sledge-hammer. I've never claimed that we need to support file insertion and raw support in any way. We don't need, we can kick it. But removing or disabling a feature because we are possibly incompetent would be just ridiculous.
I can live with the sledge hammer for Zope 2. All I ask for is tests.
If there are tests for each way of invoking reST through the web that verifies that file-inclusion isn't enabled, then it's alright with me if the sledge hammer is used to make the tests pass. I won't tolerate an untested feature with so much security risk.
Yes, someone has to write the tests at some time, soon.
Right. Before 2.10.
As I pointed out the risk is minimal for Zope-apps because you need to have access to the ZMI..
No, it's not. Getting at arbitrary files is not acceptable from the ZMI.
Agreed. Much of Zope's security machinery would be irrelevant if we didn't care about untrusted users entering more-or-less executable content TTW.
so what are security concerns in this case? And file inclusion won't work if the related code is stripped off...so what are your security concerns in this case?
I am concerned by the lack of tests. Whoever created the last hot fix was sure the problem was fixed. They were wrong and we're paying the price.
I'll note that tests wouldn't have helped here in the absence of a more careful security review of docutils: none of us was aware of the 'raw' directive as an attack vector for file inclusion until you mentioned it the other day. We *did* disable the vector we knew about (the 'include' directive, when processed from a ZMI-based ReST Document). I think we can be off the hook for the Plone version, as I think they don't call the same function to render the text; the DTML-based version, OTOH, was our fault (I didn't know 'fmt="restructured-text"' existed until this week). Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEsAot+gerLs4ltQ4RAuiGAKCfqNcNx2g9Ffw1879ornZVWLmpHACfUZXv 6c3PGtRAwtXdY7xFgmGE76U= =7tjp -----END PGP SIGNATURE-----