--On 8. Juli 2006 07:45:01 -0400 Jim Fulton <jim@zope.com> wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton <jim@zope.com> wrote:
I think we should do a 2.9.4 release to incorporate the recent hot fix. This is easy for me to say, since I won't be doing it. :)
Because this recent fix actually fixed the same problem that the previous hot fix was supposed to fix, I think someone needs to work up some decent tests. This is not a trivial task, bit it is necessary. If no one is willing to do this, I think we need to drop the TTW reStructuredText support from Zope 2, as it is too great a risk.
Dropping TTW reST is absolutely not an option. I breaks backward compatibility.
Sorry, security trumps backward compatibility.
Only if there is no other option. Tres' patch seems to resolve this issue and with further testing there is no need to remove the functionality.
BTW, I suspect that a less violent patch could be created, if anyone wants to champion TTW reStructuedText support in Zope 2. Personally, I'm for dropping it.
Tres' patch is looking in fine to me. I don't see a need right now for dropping reST with having file inclusing *removed*.
Has anyone written tests for Tres' patch? Apparently no one wrote adequate tests for the last hot fix, which helped put us in this situation.
I'm not opposed to keeping TTW reST if *someone takes responsibility* for it. I don't see this happening. If someone cares enough about TTW reST to stand behind it and properly address the security risks by writing tests, then great.
There is currently litte need to break this over the knee. We have a hotfix, we have a stripped down version of Docutils. We have some time until the next releases. Perhaps nobody had time so far (at least me) for writing further tests..that does not mean that nobody takes responsibility. If we would rip of everything from Zope 2 where nobody takes over responsibility....what would be left? In addition I don't see a big problem for Zope-only(!) apps. Using reST in Zope requires access to the ZMI which is in general available only to trusted users. Removing TTW-editing of reST in Zope does *not* solve any problem e.g. for Plone where reST can be edited through the Plone UI by usually untrusted users. It is *our* task to make reST (basically Docutils) secure enough. It's safe enough for Zope-only apps but I agree that the Docutils code and the "hotfix" requires some more testing and review.
Otherwise it has to go.
No :-)
It reflects a sorry, but perhaps sadly accurate, view of the community's commitment to quality. :(
Sorry, I've no idea what you mean with this remark. Andreas