[Zope-dev] Re: 2.9.4? reStructuredText support?
Tres Seaver
tseaver at palladion.com
Sat Jul 8 15:40:30 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Fulton wrote:
>
> On Jul 8, 2006, at 10:09 AM, Andreas Jung wrote:
>
>>
>>
>> --On 8. Juli 2006 09:53:47 -0400 Jim Fulton <jim at zope.com> wrote:
> ...
>>>>> Tres came up with this sledge hammer because he has no confidence
>>>>> in people's willingness to test and implement this feature properly.
>>>>
>>>> I am fine with the sledge-hammer. I've never claimed that we need
>>>> to support file insertion and raw support in any way. We don't
>>>> need, we can kick it.
>>>> But removing or disabling a feature because we are possibly
>>>> incompetent would be just ridiculous.
>>>
>>> I can live with the sledge hammer for Zope 2. All I ask for is tests.
>>>
>>> If there are tests for each way of invoking reST through the web that
>>> verifies that file-inclusion isn't enabled, then it's alright with
>>> me if
>>> the sledge hammer is used to make the tests pass. I won't tolerate an
>>> untested feature with so much security risk.
>>
>> Yes, someone has to write the tests at some time, soon.
>
> Right. Before 2.10.
>
>> As I pointed out the risk is minimal for Zope-apps because you need to
>> have access to the ZMI..
>
> No, it's not. Getting at arbitrary files is not acceptable from the ZMI.
Agreed. Much of Zope's security machinery would be irrelevant if we
didn't care about untrusted users entering more-or-less executable
content TTW.
>> so what are security concerns in this case? And file inclusion won't
>> work if the related code is stripped off...so what are your security
>> concerns in this case?
>
> I am concerned by the lack of tests. Whoever created the last hot fix
> was sure the problem was fixed. They were wrong and we're paying the
> price.
I'll note that tests wouldn't have helped here in the absence of a more
careful security review of docutils: none of us was aware of the 'raw'
directive as an attack vector for file inclusion until you mentioned it
the other day.
We *did* disable the vector we knew about (the 'include' directive, when
processed from a ZMI-based ReST Document). I think we can be off the
hook for the Plone version, as I think they don't call the same function
to render the text; the DTML-based version, OTOH, was our fault (I
didn't know 'fmt="restructured-text"' existed until this week).
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEsAot+gerLs4ltQ4RAuiGAKCfqNcNx2g9Ffw1879ornZVWLmpHACfUZXv
6c3PGtRAwtXdY7xFgmGE76U=
=7tjp
-----END PGP SIGNATURE-----
More information about the Zope-Dev
mailing list