--On 27. März 2008 20:42:50 +0200 Marius Gedminas <mgedmin@b4net.lt> wrote:
On Wed, Mar 26, 2008 at 09:20:27PM +0100, Dieter Maurer wrote:
Timothy Selivanow wrote at 2008-3-25 17:12 -0700:
... Now when I say "rip out", I don't mean repackage (make a sub RPM), I mean remove from the RPM that I am making. I don't want to provide a "new" Docutils.
That Zope ships with its own "Docutils" comes from the fact that the standard one has a big security hole.
Which one? The one that lets you embed any file on the filesystem into a web page?
http://docutils.sourceforge.net/docs/howto/security.html
I didn't know Zope's bundled version of docutils fixed that. In any case, the src/docutils in the Zope 3.2 tree either doesn't have the fix, or it doesn't work. I tested it and ended up closing that hole in an application myself.
At least Zope 2 uses Docutils with the related options disabled. No idea about Zope 3.2. -aj