[Zope-dev] Re: 2.9.4? reStructuredText support?

Tres Seaver tseaver at palladion.com
Sat Jul 8 15:40:30 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim Fulton wrote:
> 
> On Jul 8, 2006, at 10:09 AM, Andreas Jung wrote:
> 
>>
>>
>> --On 8. Juli 2006 09:53:47 -0400 Jim Fulton <jim at zope.com> wrote:
> ...
>>>>> Tres came up with this sledge hammer because he has no confidence
>>>>> in people's willingness to test and implement this feature properly.
>>>>
>>>> I am fine with the sledge-hammer. I've never claimed that we need
>>>> to support file insertion and raw support in any way. We don't
>>>> need, we can kick it.
>>>> But removing or disabling a feature because we are possibly
>>>> incompetent would be just ridiculous.
>>>
>>> I can live with the sledge hammer for Zope 2.  All I ask for is tests.
>>>
>>> If there are tests for each way of invoking reST through the web that
>>> verifies that file-inclusion isn't enabled, then it's alright with
>>> me  if
>>> the sledge hammer is used to make the tests pass.  I won't  tolerate an
>>> untested feature with so much security risk.
>>
>> Yes, someone has to write the tests at some time, soon.
> 
> Right. Before 2.10.
> 
>> As I pointed out the risk is minimal for Zope-apps because you need to
>> have access to the ZMI..
> 
> No, it's not.  Getting at arbitrary files is not acceptable from the ZMI.

Agreed.  Much of Zope's security machinery would be irrelevant if we
didn't care about untrusted users entering more-or-less executable
content TTW.

>> so what are security concerns in this case? And file inclusion won't
>> work if the related code is stripped off...so what are your security
>> concerns in this case?
> 
> I am concerned by the lack of tests.  Whoever created the last hot fix
> was sure the problem was fixed.  They were wrong and we're paying the
> price.

I'll note that tests wouldn't have helped here in the absence of a more
careful security review of docutils:  none of us was aware of the 'raw'
directive as an attack vector for file inclusion until you mentioned it
the other day.

We *did* disable the vector we knew about (the 'include' directive, when
processed from a ZMI-based ReST Document).  I think we can be off the
hook for the Plone version, as I think they don't call the same function
to render the text;  the DTML-based version, OTOH, was our fault (I
didn't know 'fmt="restructured-text"' existed until this week).


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEsAot+gerLs4ltQ4RAuiGAKCfqNcNx2g9Ffw1879ornZVWLmpHACfUZXv
6c3PGtRAwtXdY7xFgmGE76U=
=7tjp
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list