[Zope3-dev] Re: Through-the-web reStructuredText
Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Haubenwallner wrote: Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim Fulton wrote: Zope 3, as releases is not affected by the security hole that has plagued Zope 2, however, Michael Haubenwallner has pointed out that some add-on-products, such as zwiki and bugtracker, may provide TTW reST. They appear to be safe for the moment, but not because they intentionally disable file inclusion: rather, they have a bug (they set the 'encoding' to 'unicode', which then causes an exception). Both restructuredText directives 'include' and 'raw' have an 'encoding' option to set the name of text encoding of the external data file/raw data (file or URL), it defaults to the document's encoding (if specified). .. include:: filename.ext :encoding: utf-8 .. raw:: html :file: filename.ext :encoding: utf-8 should work as expected Michael Verified. Both wikis and bugtracker issues are capable of including arbitrary files using that spelling (in an instance created from today's Zope3 trunk, anyway). Zope3 accesses docutils in a single point atm: zope.app.renderer.rest.ReStructuredTextToHTMLRenderer.render() All objects created from the factory zope.source.rest are rendered here. It should be possible to configure the docutils parser (and its directives) by adjusting the 'settings_overrides' values. I think the same can be done (and is done already) for Zope2.x in lib.python.reStructuredText.render() with the 'settings' dictionary. That way it would be possible to make the parser usage configurable and no need to use a patched docutils. Michael -- http://zope.org/Members/d2m http://planetzope.org ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
Re: [Zope3-dev] Re: The bug fixing problem
On Fri, Jul 07, 2006 at 08:48:39PM +0200, [EMAIL PROTECTED] wrote: In many cases, I can convince myself that a fix does actually work without performing a test -- at least in the sense that it removes one bug. In many cases I have made completely trivial bug fixes that I was absolutely confident about. I wrote unit tests for those bug fixes only out of habit. Quite often I was surprised when my superfluous tests caught bugs in my trivial bugfixes. Marius Gedminas -- Look! Before our very eyes, the future is becoming the past. signature.asc Description: Digital signature ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
[Zope3-dev] Security alert: use of Through-the-Web reStructuredText
Recently, a serious security flaw was found in Zope 2 due to it's improper support for allowing reStructuredText to be edited through- the-web. reStructuredText has directives that allow inclusion of any file a Zope process could read and inclusion of data obtained from fetching arbitrary URLs. In a trusted environment, these directives have legitimate uses. The feature of including files and URL results should not be enabled for text entered from untrusted sources, which applies to most through-the-web interactions. The recent hotfix: http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-2006-07-05 addresses the problem for Zope 2. It is safe to allow reStructuredText through the web with care. The inclusion of files or URL results can be disabled, but the programmer must explicitly disable the feature. It is not disabled by default. It is also critical that a developer who exposes through-the-web reStructuredText have tests to verify that the file/url inclusion feature has been disabled. Zope 3 itself, as released, doesn't have this problem because it doesn't allow reST entry through the web. There are third-party applications, however, including 2 packages in the Zope 3 subversion tree that do have this problem. I strongly urge you to avoid using any Zope package that allows through-the-web input of reStructuredText unless you can verify that file/url has been properly disabled. The zwiki and bugtracker packages do not currently disable file/url inclusion and should not be used in situations in which users who are not highly trusted have access to these applications. If you are using a Zope 3 checkout, these packages are currently included and enabled. I plan to remove these packages from the Zope 3 repository tree within the next few hours. If you are using a checkout-based Zope 3 installation that exposes these packages to untrusted users, you are strongly urged to disable these packages by removing the following files from your package-includes directory: zwiki-configure.zcml bugtracker-configure.zcml Removing these files will also avoid problems when you update your checkout later, as these will refer to non-existent packages. Jim -- Jim Fulton mailto:[EMAIL PROTECTED]Python Powered! CTO (540) 361-1714 http://www.python.org Zope Corporationhttp://www.zope.com http://www.zope.org ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
[Zope3-dev] Re: Through-the-web reStructuredText
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Haubenwallner wrote: Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Haubenwallner wrote: Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim Fulton wrote: Zope 3, as releases is not affected by the security hole that has plagued Zope 2, however, Michael Haubenwallner has pointed out that some add-on-products, such as zwiki and bugtracker, may provide TTW reST. They appear to be safe for the moment, but not because they intentionally disable file inclusion: rather, they have a bug (they set the 'encoding' to 'unicode', which then causes an exception). Both restructuredText directives 'include' and 'raw' have an 'encoding' option to set the name of text encoding of the external data file/raw data (file or URL), it defaults to the document's encoding (if specified). .. include:: filename.ext :encoding: utf-8 .. raw:: html :file: filename.ext :encoding: utf-8 should work as expected Michael Verified. Both wikis and bugtracker issues are capable of including arbitrary files using that spelling (in an instance created from today's Zope3 trunk, anyway). Zope3 accesses docutils in a single point atm: zope.app.renderer.rest.ReStructuredTextToHTMLRenderer.render() All objects created from the factory zope.source.rest are rendered here. It should be possible to configure the docutils parser (and its directives) by adjusting the 'settings_overrides' values. I think the same can be done (and is done already) for Zope2.x in lib.python.reStructuredText.render() with the 'settings' dictionary. That way it would be possible to make the parser usage configurable and no need to use a patched docutils. In Zope2 land, the module is still available, and can be used by other code (which may not know of that issue). I'm *not* in favor of shipping an un-patched docutils until we work this out. For instance, perhaps we should be patching docutils to make the *default* settings disable file inclusion and 'raw'; then the trusted code which wanted to render reST which legitimately needed those features could enable them explicitly. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEr6pm+gerLs4ltQ4RAhquAJ4yotGOLN5778NdQ5Fh2oO7wCRNIACfcZ3N //xqhLuWYrUAGEU5j8B214c= =CHum -END PGP SIGNATURE- ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
[Zope3-dev] buildbot failure in Zope3 trunk 2.4 FreeBSD tmiddleton
The Buildbot has detected a failed build of Zope3 trunk 2.4 FreeBSD tmiddleton. Buildbot URL: http://buildbot.zope.org/ Build Reason: changes Build Source Stamp: 6532 Blamelist: jim,philikon,tseaver BUILD FAILED: failed test sincerely, -The Buildbot ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
[Zope3-dev] buildbot failure in Zope3 branches 3.3 2.4 Linux remy
The Buildbot has detected a failed build of Zope3 branches 3.3 2.4 Linux remy. Buildbot URL: http://buildbot.zope.org/ Build Reason: changes Build Source Stamp: 6536 Blamelist: jim,philikon BUILD FAILED: failed test sincerely, -The Buildbot ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
[Zope3-dev] buildbot failure in Zope3 branches Zope-3.1 2.4 Linux remy
The Buildbot has detected a failed build of Zope3 branches Zope-3.1 2.4 Linux remy. Buildbot URL: http://buildbot.zope.org/ Build Reason: changes Build Source Stamp: 6538 Blamelist: Zen,alecm,andreasjung,baijum,benji,benji_york,chrisw,ctheune,dominikhuber,efge,fdrake,flox,hdima,jens,jim,jukart,mgedmin,oestermeier,philikon,poster,regebro,rocky,shh,srichter,stevea,tseaver,yuppie BUILD FAILED: failed test_2 sincerely, -The Buildbot ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
[Zope3-dev] buildbot failure in Zope3 branches Zope-3.1 2.4 Windows 2000 zc-bbwin4
The Buildbot has detected a failed build of Zope3 branches Zope-3.1 2.4 Windows 2000 zc-bbwin4. Buildbot URL: http://buildbot.zope.org/ Build Reason: changes Build Source Stamp: 6539 Blamelist: jim BUILD FAILED: failed test sincerely, -The Buildbot ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
Re: [Zope3-dev] buildbot failure in Zope3 branches Zope-3.1 2.4 Windows 2000 zc-bbwin4
[EMAIL PROTECTED] wrote: The Buildbot has detected a failed build of Zope3 branches Zope-3.1 2.4 Windows 2000 zc-bbwin4. Jim, this failure seems to be related to your recent ZEO work. Here's a link to the log: http://buildbot.zope.org/Zope3%20branches%20Zope-3.1%202.4%20Windows%202000%20zc-bbwin4/builds/3/test/0 -- Benji York Senior Software Engineer Zope Corporation ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
Re: [Zope3-dev] pkg_resources or pkgutil?
On 5/25/06, Philipp von Weitershausen [EMAIL PROTECTED] wrote: I think they do pretty much the same thing (but I could be mistaken). Are they interchangeable? If not, are they compatible so that we just add both ways to both files? If they're not compatible, which one should we use in the future? Looks like no one bothered to answer this. :-( No, they aren't equivalent. The pkg_resources flavor is only effective if pkg_resources is available; I don't think that should be assumed. The pkgutil.extend_path version should be used as the fallback when pkg_resources is not available. -Fred -- Fred L. Drake, Jr.fdrake at gmail.com Every sin is the result of a collaboration. --Lucius Annaeus Seneca ___ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
