Log message for revision 76343: docutil's security restrictions are now applied using a monkey patch; this way the upstream version of docutils can be used (i.e. an egg)
Changed: _U Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/ A Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/ A Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py U Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py -=- Property changes on: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python ___________________________________________________________________ Name: svn:externals - ZConfig svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1 BTrees -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/BTrees persistent -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/persistent ThreadedAsync -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ThreadedAsync transaction -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/transaction ZEO -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZEO ZODB -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZODB ZopeUndo -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZopeUndo zdaemon -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon pytz -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/pytz zodbcode -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/zodbcode mechanize -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/mechanize docutils svn://svn.zope.org/repos/main/docutils/tags/0.4.0-zope ClientForm svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm RestrictedPython svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.0/src/RestrictedPython + ZConfig svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1 BTrees -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/BTrees persistent -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/persistent ThreadedAsync -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ThreadedAsync transaction -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/transaction ZEO -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZEO ZODB -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZODB ZopeUndo -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZopeUndo zdaemon -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon pytz -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/pytz zodbcode -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/zodbcode mechanize -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/mechanize docutils svn://svn.zope.org/repos/main/docutils/tags/0.4.0 ClientForm svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm RestrictedPython svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.0/src/RestrictedPython Added: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py =================================================================== --- Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py (rev 0) +++ Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py 2007-06-04 23:26:53 UTC (rev 76343) @@ -0,0 +1,53 @@ +############################################################################## +# +# Copyright (c) 2002 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## +""" security patches for docutils """ + +try: + import docutils +except ImportError: + raise ImportError, 'Please install docutils 0.4.0+ from http://docutils.sourceforge.net/#download.' + +version = docutils.__version__.split('.') +if not (version >= ['0', '4', '0'] or version >= ['0', '4']): + raise ImportError, """Old version of docutils found: +Got: %(version)s, required: 0.4.0+ +Please remove docutils from %(path)s and replace it with a new version. You +can download docutils at http://docutils.sourceforge.net/#download. +""" % {'version' : docutils.__version__, 'path' : docutils.__path__[0] } + + +# disable inclusion of files for security reasons +# this way we don't need a custom version of docutils anymore +import docutils.parsers.rst.directives.misc + +# additional import needed here since raw's func_code was swapped below... +from docutils import nodes + +def include(*args, **kw): + """ disabled for security reasons """ + raise NotImplementedError, 'File inclusion not allowed!' +docutils.parsers.rst.directives.misc.include.func_code = include.func_code + +def raw_orig(*args, **kw): + """ place holder for original copy of function """ + pass +raw_orig.func_code = docutils.parsers.rst.directives.misc.raw.func_code +docutils.parsers.rst.directives.misc.raw_orig = raw_orig + +def raw(name, arguments, options, *args, **kw): + """ disabled specific options for security reasons """ + if options.has_key('file') or options.has_key('url'): + raise NotImplementedError, 'File inclusion not allowed!' + return raw_orig(name, arguments, options, *args, **kw) +docutils.parsers.rst.directives.misc.raw.func_code = raw.func_code + Modified: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py =================================================================== --- Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py 2007-06-04 23:16:26 UTC (rev 76342) +++ Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py 2007-06-04 23:26:53 UTC (rev 76343) @@ -28,6 +28,9 @@ can download docutils at http://docutils.sourceforge.net/#download. """ % {'version' : docutils.__version__, 'path' : docutils.__path__[0] } +# monkey patch docutils for security reasons +import docutilsSecurityPatches + import sys, os, locale from App.config import getConfiguration from docutils.core import publish_parts _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins