Re: Through-the-web reStructuredText
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Haubenwallner wrote:
Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Michael Haubenwallner wrote:
Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jim Fulton wrote:
Zope 3, as releases is not affected by the security hole that has plagued Zope 2, however, Michael Haubenwallner has pointed out that some add-on-products, such as zwiki and bugtracker, may provide TTW reST. They appear to be "safe" for the moment, but not because they intentionally disable file inclusion: rather, they have a bug (they set the 'encoding' to 'unicode', which then causes an exception).
Both restructuredText directives 'include' and 'raw' have an 'encoding' option to set the name of text encoding of the external data file/raw data (file or URL), it defaults to the document's encoding (if specified).
.. include:: filename.ext :encoding: utf-8
.. raw:: html :file: filename.ext :encoding: utf-8
should work as expected
Michael
Verified. Both wikis and bugtracker issues are capable of including arbitrary files using that spelling (in an instance created from today's Zope3 trunk, anyway).
Zope3 accesses docutils in a single point atm: zope.app.renderer.rest.ReStructuredTextToHTMLRenderer.render()
All objects created from the factory zope.source.rest are rendered here. It should be possible to configure the docutils parser (and its directives) by adjusting the 'settings_overrides' values.
I think the same can be done (and is done already) for Zope2.x in lib.python.reStructuredText.render() with the 'settings' dictionary.
That way it would be possible to make the parser usage configurable and no need to use a patched docutils.
In Zope2 land, the module is still available, and can be used by other code (which may not know of that issue). I'm *not* in favor of shipping an un-patched docutils until we work this out. For instance, perhaps we should be patching docutils to make the *default* settings disable file inclusion and 'raw'; then the trusted code which wanted to render reST which legitimately needed those features could enable them explicitly. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEr6pm+gerLs4ltQ4RAhquAJ4yotGOLN5778NdQ5Fh2oO7wCRNIACfcZ3N //xqhLuWYrUAGEU5j8B214c= =CHum -----END PGP SIGNATURE-----
participants (1)
-
Tres Seaver