[Zope-Checkins]
SVN: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/
docutil's security restrictions are now applied using a
monkey patch;
this way the upstream version of docutils can be used (i.e. an egg)
Andreas Zeidler
az at zitc.de
Mon Jun 4 19:26:54 EDT 2007
Log message for revision 76343:
docutil's security restrictions are now applied using a monkey patch; this way the upstream version of docutils can be used (i.e. an egg)
Changed:
_U Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/
A Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/
A Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py
U Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py
-=-
Property changes on: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python
___________________________________________________________________
Name: svn:externals
- ZConfig svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1
BTrees -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/BTrees
persistent -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/persistent
ThreadedAsync -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ThreadedAsync
transaction -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/transaction
ZEO -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZEO
ZODB -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZODB
ZopeUndo -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZopeUndo
zdaemon -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon
pytz -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/pytz
zodbcode -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/zodbcode
mechanize -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/mechanize
docutils svn://svn.zope.org/repos/main/docutils/tags/0.4.0-zope
ClientForm svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm
RestrictedPython svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.0/src/RestrictedPython
+ ZConfig svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1
BTrees -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/BTrees
persistent -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/persistent
ThreadedAsync -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ThreadedAsync
transaction -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/transaction
ZEO -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZEO
ZODB -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZODB
ZopeUndo -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZopeUndo
zdaemon -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon
pytz -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/pytz
zodbcode -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/zodbcode
mechanize -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/mechanize
docutils svn://svn.zope.org/repos/main/docutils/tags/0.4.0
ClientForm svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm
RestrictedPython svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.0/src/RestrictedPython
Added: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py
===================================================================
--- Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py (rev 0)
+++ Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py 2007-06-04 23:26:53 UTC (rev 76343)
@@ -0,0 +1,53 @@
+##############################################################################
+#
+# Copyright (c) 2002 Zope Corporation and Contributors. All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##############################################################################
+""" security patches for docutils """
+
+try:
+ import docutils
+except ImportError:
+ raise ImportError, 'Please install docutils 0.4.0+ from http://docutils.sourceforge.net/#download.'
+
+version = docutils.__version__.split('.')
+if not (version >= ['0', '4', '0'] or version >= ['0', '4']):
+ raise ImportError, """Old version of docutils found:
+Got: %(version)s, required: 0.4.0+
+Please remove docutils from %(path)s and replace it with a new version. You
+can download docutils at http://docutils.sourceforge.net/#download.
+""" % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
+
+
+# disable inclusion of files for security reasons
+# this way we don't need a custom version of docutils anymore
+import docutils.parsers.rst.directives.misc
+
+# additional import needed here since raw's func_code was swapped below...
+from docutils import nodes
+
+def include(*args, **kw):
+ """ disabled for security reasons """
+ raise NotImplementedError, 'File inclusion not allowed!'
+docutils.parsers.rst.directives.misc.include.func_code = include.func_code
+
+def raw_orig(*args, **kw):
+ """ place holder for original copy of function """
+ pass
+raw_orig.func_code = docutils.parsers.rst.directives.misc.raw.func_code
+docutils.parsers.rst.directives.misc.raw_orig = raw_orig
+
+def raw(name, arguments, options, *args, **kw):
+ """ disabled specific options for security reasons """
+ if options.has_key('file') or options.has_key('url'):
+ raise NotImplementedError, 'File inclusion not allowed!'
+ return raw_orig(name, arguments, options, *args, **kw)
+docutils.parsers.rst.directives.misc.raw.func_code = raw.func_code
+
Modified: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py
===================================================================
--- Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py 2007-06-04 23:16:26 UTC (rev 76342)
+++ Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py 2007-06-04 23:26:53 UTC (rev 76343)
@@ -28,6 +28,9 @@
can download docutils at http://docutils.sourceforge.net/#download.
""" % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
+# monkey patch docutils for security reasons
+import docutilsSecurityPatches
+
import sys, os, locale
from App.config import getConfiguration
from docutils.core import publish_parts
More information about the Zope-Checkins
mailing list