[Zope-dev] 2.9.4? reStructuredText support?
Jim Fulton
jim at zope.com
Sun Jul 9 09:12:54 EDT 2006
On Jul 8, 2006, at 5:38 PM, Tino Wildenhain wrote:
> Jim Fulton wrote:
>>
> ...
>>> You mean auditing. Testing would not help imho. Testing
>>> only checks if expected behavior still works. And nobody
>>> expects the spanish inquisiton *wink* ;)
>>
>> You can test that trying to do fil-inclusion fails.
>>
>
> For example if I'd were the one who would have written
> the naive test - I would not have known a file inclusion
> feature even exists or is supposed to be exposed to
> reST. So my test would not have tested it. So we had
> perfectly tests for all the reST things we want and
> expect but the hole would exist anyway.
I agree that testing is not enough if you don't know what to
test for. It's sad that whoever enabled this didn't bother
to read the docutils documentation which documents the feature
and even provides warning about it's security issues:
http://docutils.sourceforge.net/docs/ref/rst/
directives.html#including-an-external-document-fragment
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-Dev
mailing list