[Zope-dev] Re: 2.9.4? reStructuredText support?
Tres Seaver
tseaver at palladion.com
Sun Jul 9 09:43:27 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Fulton wrote:
>
> On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
> ...
>> I'll note that tests wouldn't have helped here in the absence of a more
>> careful security review of docutils: none of us was aware of the 'raw'
>> directive as an attack vector for file inclusion until you mentioned it
>> the other day.
>
> Except that, as you discovered, it was *not* an attack vector. setting
> file_insertion_enabled to False disables file insertion via the raw
> directive too.
> The real problem was that you could still use the include directive to
> include files via DTML and Plone. We didn't have a test to demonstrate
> that you couldn't use file insertion from DTML. And, obviously, the
> author of the Plone feature didn't have tests either.
>
> I agree that tests are not enough. The person who brought this issue up
> at EuroPython had a good point that whenever we use 3rd-party code, we
> need to consider it's security implications. We didn't even read the
> documentation for reST when we incorporated this feature.
I think we picked up the feature (file inclusion) unnoticed in an
upgrade (but could be wrong).
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEsQf/+gerLs4ltQ4RAnXuAJ0QCeVnsG2XDzUFnYP9ffxr4Ab1ZwCgtvJ+
H4/5PeonI01DXMoy9+DskK0=
=m94+
-----END PGP SIGNATURE-----
More information about the Zope-Dev
mailing list