Jim Fulton wrote:
...
You mean auditing. Testing would not help imho. Testing only checks if expected behavior still works. And nobody expects the spanish inquisiton *wink* ;)
You can test that trying to do fil-inclusion fails.
For example if I'd were the one who would have written the naive test - I would not have known a file inclusion feature even exists or is supposed to be exposed to reST. So my test would not have tested it. So we had perfectly tests for all the reST things we want and expect but the hole would exist anyway. To cut a long story short, I guess the current fix can work or there can be other holes (which we constantly would not be aware no matter how many tests tell us the file inclusion does not work anymore). So whats the solution? Audit of the docutils package? Putting it into restricted environment like the other template engines? Inclusion of own docutils like, but audited code? Regards Tino