[Zope-Checkins] SVN: Zope/trunk/ Merged
philikon-zope2.11-with-standard-docutils:
Philipp von Weitershausen
philikon at philikon.de
Wed Jul 25 16:53:59 EDT 2007
Log message for revision 78333:
Merged philikon-zope2.11-with-standard-docutils:
- Ship Zope with a standard docutils 0.4 distribution, instead
of a patched one. Both trusted and untrusted code are still
protected against unwanted file inclusion.
Changed:
U Zope/trunk/doc/CHANGES.txt
_U Zope/trunk/lib/python/
U Zope/trunk/lib/python/DocumentTemplate/tests/testDTML.py
U Zope/trunk/lib/python/Products/ZReST/ZReST.py
U Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py
U Zope/trunk/lib/python/reStructuredText/__init__.py
U Zope/trunk/lib/python/reStructuredText/tests/testReST.py
-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt 2007-07-25 20:27:08 UTC (rev 78332)
+++ Zope/trunk/doc/CHANGES.txt 2007-07-25 20:53:58 UTC (rev 78333)
@@ -9,6 +9,10 @@
Restructuring
+ - Ship Zope with a standard docutils 0.4 distribution, instead
+ of a patched one. Both trusted and untrusted code are still
+ protected against unwanted file inclusion.
+
- Removed ZGadflyDA (was deprecated since Zope 2.9). The code is
still available from svn.zope.org/Products.ZGadflyDA.
Property changes on: Zope/trunk/lib/python
___________________________________________________________________
Name: svn:externals
- BTrees svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/BTrees
ClientForm svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm
RestrictedPython svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.1/src/RestrictedPython
ThreadedAsync svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ThreadedAsync
ZConfig svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1
ZEO svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ZEO
ZODB svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ZODB
ZopeUndo svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ZopeUndo
docutils svn://svn.zope.org/repos/main/docutils/tags/0.4.0-zope
mechanize svn://svn.zope.org/repos/main/Zope3/trunk/src/mechanize
persistent svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/persistent
pytz svn://svn.zope.org/repos/main/Zope3/trunk/src/pytz
transaction svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/transaction
zdaemon -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon
zodbcode svn://svn.zope.org/repos/main/zodbcode/trunk/src/zodbcode
+ BTrees svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/BTrees
ClientForm svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm
RestrictedPython svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.1/src/RestrictedPython
ThreadedAsync svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ThreadedAsync
ZConfig svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1
ZEO svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ZEO
ZODB svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ZODB
ZopeUndo svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/ZopeUndo
docutils svn://svn.zope.org/repos/main/docutils/tags/0.4.0
mechanize svn://svn.zope.org/repos/main/Zope3/trunk/src/mechanize
persistent svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/persistent
pytz svn://svn.zope.org/repos/main/Zope3/trunk/src/pytz
transaction svn://svn.zope.org/repos/main/ZODB/branches/3.8/src/transaction
zdaemon -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon
zodbcode svn://svn.zope.org/repos/main/zodbcode/trunk/src/zodbcode
Modified: Zope/trunk/lib/python/DocumentTemplate/tests/testDTML.py
===================================================================
--- Zope/trunk/lib/python/DocumentTemplate/tests/testDTML.py 2007-07-25 20:27:08 UTC (rev 78332)
+++ Zope/trunk/lib/python/DocumentTemplate/tests/testDTML.py 2007-07-25 20:53:58 UTC (rev 78333)
@@ -16,7 +16,7 @@
__rcs_id__='$Id$'
__version__='$Revision: 1.15 $'[11:-2]
-import sys, os
+import sys, os, cgi
import unittest
if __name__=='__main__':
@@ -43,6 +43,14 @@
def d(**kw): return kw
+docutils_include_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils"><string></tt>, line 1)</p>
+<p>"include" directive disabled.</p>'''
+
+docutils_raw_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils"><string></tt>, line 1)</p>
+<p>"raw" directive disabled.</p>'''
+
class PukeError(Exception):
"""Exception raised in test code."""
@@ -340,38 +348,51 @@
source = '.. include:: /etc/passwd'
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source
- self.assertRaises(NotImplementedError, html)
+ result = html()
+ # The include: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(source in result)
+ self.assert_(docutils_include_warning in result)
+
def test_fmt_reST_raw_directive_disabled(self):
-
EXPECTED = '<h1>HELLO WORLD</h1>'
-
source = '.. raw:: html\n\n %s\n' % EXPECTED
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source
+ result = html()
- result = html() # don't raise, but don't work either
- self.failIf(EXPECTED in result)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(EXPECTED not in result)
+ self.assert_(cgi.escape(EXPECTED) in result)
+ self.assert_(docutils_raw_warning in result)
- self.failUnless(""raw" directive disabled" in result)
- from cgi import escape
- self.failUnless(escape(EXPECTED) in result)
-
def test_fmt_reST_raw_directive_file_option_raises(self):
-
source = '.. raw:: html\n :file: inclusion.txt'
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source
+ result = html()
- self.assertRaises(NotImplementedError, html, source)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(source in result)
+ self.assert_(docutils_raw_warning in result)
def test_fmt_reST_raw_directive_url_option_raises(self):
-
source = '.. raw:: html\n :url: http://www.zope.org'
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source
+ result = html()
- self.assertRaises(NotImplementedError, html, source)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(source in result)
+ self.assert_(docutils_raw_warning in result)
def testPropogatedError(self):
Modified: Zope/trunk/lib/python/Products/ZReST/ZReST.py
===================================================================
--- Zope/trunk/lib/python/Products/ZReST/ZReST.py 2007-07-25 20:27:08 UTC (rev 78332)
+++ Zope/trunk/lib/python/Products/ZReST/ZReST.py 2007-07-25 20:53:58 UTC (rev 78333)
@@ -193,16 +193,16 @@
''' Render the source to HTML
'''
if self._v_formatted is None:
-
+ warnings = self._v_warnings = Warnings()
settings = {
'halt_level': 6,
- 'report_level' : self.report_level,
+ 'report_level' : int(self.report_level),
'input_encoding': self.input_encoding,
'output_encoding': self.output_encoding,
'initial_header_level' : 1,
'stylesheet' : self.stylesheet,
'stylesheet_path' : None,
- 'pub.settings.warning_stream' : Warnings(),
+ 'warning_stream' : warnings,
'raw_enabled' : 0,
'file_insertion_enabled' : 0,
}
Modified: Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py
===================================================================
--- Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py 2007-07-25 20:27:08 UTC (rev 78332)
+++ Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py 2007-07-25 20:53:58 UTC (rev 78333)
@@ -5,6 +5,7 @@
$Id$
"""
import unittest
+import cgi
import tempfile
txt = """Hello World
@@ -26,6 +27,9 @@
daemon:x:2:2:Daemon:/sbin:/bin/bash
"""
+docutils_include_warning = '(WARNING/2) "include" directive disabled.'
+docutils_raw_warning = '(WARNING/2) "raw" directive disabled.'
+
class TestZReST(unittest.TestCase):
def _getTargetClass(self):
@@ -78,32 +82,51 @@
def test_include_directive_raises(self):
resty = self._makeOne()
resty.source = 'hello world\n .. include:: /etc/passwd'
- self.assertRaises(NotImplementedError, resty.render)
+ result = resty.render()
+ warnings = ''.join(resty._v_warnings.messages)
+ # The include: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(docutils_include_warning in warnings)
+
def test_raw_directive_disabled(self):
-
+ resty = self._makeOne()
EXPECTED = '<h1>HELLO WORLD</h1>'
-
- resty = self._makeOne()
resty.source = '.. raw:: html\n\n %s\n' % EXPECTED
- result = resty.render() # don't raise, but don't work either
- self.failIf(EXPECTED in result)
+ result = resty.render()
+ warnings = ''.join(resty._v_warnings.messages)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(EXPECTED not in result)
+ self.assert_(cgi.escape(EXPECTED) in result)
+ self.assert_(docutils_raw_warning in warnings)
+
def test_raw_directive_file_directive_raises(self):
-
resty = self._makeOne()
resty.source = '.. raw:: html\n :file: inclusion.txt'
- self.assertRaises(NotImplementedError, resty.render)
+ result = resty.render()
+ warnings = ''.join(resty._v_warnings.messages)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(docutils_raw_warning in warnings)
+
def test_raw_directive_url_directive_raises(self):
-
resty = self._makeOne()
resty.source = '.. raw:: html\n :url: http://www.zope.org/'
- self.assertRaises(NotImplementedError, resty.render)
+ result = resty.render()
+ warnings = ''.join(resty._v_warnings.messages)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(docutils_raw_warning in warnings)
def test_csv_table_file_option_raise(self):
-
resty = self._makeOne()
csv_file = self._csvfile()
resty.source = '.. csv-table:: \n :file: %s' % csv_file
Modified: Zope/trunk/lib/python/reStructuredText/__init__.py
===================================================================
--- Zope/trunk/lib/python/reStructuredText/__init__.py 2007-07-25 20:27:08 UTC (rev 78332)
+++ Zope/trunk/lib/python/reStructuredText/__init__.py 2007-07-25 20:53:58 UTC (rev 78333)
@@ -28,6 +28,15 @@
can download docutils at http://docutils.sourceforge.net/#download.
""" % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
+# Disable inclusion of files for security reasons. We do this by
+# changing the default value of the ``file_insertion_enabled``
+# parameter to False.
+import docutils.parsers.rst
+for title, options, conf in docutils.parsers.rst.Parser.settings_spec[2]:
+ if options == ['--file-insertion-enabled']:
+ conf['default'] = 0
+ break
+
import sys, os, locale
from App.config import getConfiguration
from docutils.core import publish_parts
Modified: Zope/trunk/lib/python/reStructuredText/tests/testReST.py
===================================================================
--- Zope/trunk/lib/python/reStructuredText/tests/testReST.py 2007-07-25 20:27:08 UTC (rev 78332)
+++ Zope/trunk/lib/python/reStructuredText/tests/testReST.py 2007-07-25 20:53:58 UTC (rev 78333)
@@ -1,10 +1,11 @@
# -*- coding: iso-8859-15 -*-
import unittest
+import cgi
+from docutils.core import publish_parts
+from reStructuredText import HTML, Warnings
-from reStructuredText import HTML
-
txt = """Hello World
============
@@ -20,6 +21,15 @@
"""
+docutils_include_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils"><string></tt>, line 2)</p>
+<p>"include" directive disabled.</p>'''
+
+docutils_raw_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils"><string></tt>, line 1)</p>
+<p>"raw" directive disabled.</p>'''
+
+
class TestReST(unittest.TestCase):
def testRoman(self):
@@ -81,42 +91,67 @@
output = HTML(input)
self.assertEquals(output, expected)
+ def test_file_insertion_off_by_default(self):
+ directive = '.. include:: /etc/passwd'
+ source = 'hello world\n %s' % directive
+ parts = publish_parts(source=source, writer_name='html4css1',
+ settings_overrides={'warning_stream': Warnings()})
+ # The include: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(directive in parts['body'])
+ self.assert_(docutils_include_warning in parts['body'])
+
def test_include_directive_raises(self):
- source = 'hello world\n .. include:: /etc/passwd'
- self.assertRaises(NotImplementedError, HTML, source)
+ directive = '.. include:: /etc/passwd'
+ source = 'hello world\n %s' % directive
+ result = HTML(source)
+ # The include: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(directive in result)
+ self.assert_(docutils_include_warning in result)
+
def test_raw_directive_disabled(self):
-
EXPECTED = '<h1>HELLO WORLD</h1>'
-
source = '.. raw:: html\n\n %s\n' % EXPECTED
result = HTML(source) # don't raise, but don't work either
- self.failIf(EXPECTED in result)
- self.failUnless(""raw" directive disabled" in result)
- from cgi import escape
- self.failUnless(escape(EXPECTED) in result)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(EXPECTED not in result)
+ self.assert_(cgi.escape(EXPECTED) in result)
+ self.assert_(docutils_raw_warning in result)
def test_raw_directive_file_option_raises(self):
-
source = '.. raw:: html\n :file: inclusion.txt'
- self.assertRaises(NotImplementedError, HTML, source)
+ result = HTML(source)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(source in result)
+ self.assert_(docutils_raw_warning in result)
+
def test_raw_directive_url_option_raises(self):
-
source = '.. raw:: html\n :url: http://www.zope.org'
- self.assertRaises(NotImplementedError, HTML, source)
+ result = HTML(source)
+ # The raw: directive hasn't been rendered, it remains
+ # verbatimly in the rendered output. Instead a warning
+ # message is presented:
+ self.assert_(source in result)
+ self.assert_(docutils_raw_warning in result)
def test_csv_table_file_option_raise(self):
-
source = '.. csv-table:: \n :file: inclusion.txt'
result = HTML(source)
self.failUnless('File and URL access deactivated' in result)
def test_csv_table_url_option_raise(self):
-
source = '.. csv-table:: \n :url: http://www.evil.org'
result = HTML(source)
self.failUnless('File and URL access deactivated' in result)
More information about the Zope-Checkins
mailing list