Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-19 Thread David Pratt
Jim Fulton wrote: On Jul 18, 2006, at 2:55 PM, David Pratt wrote: Hi Jim. I was noticing a 0.4.0-zope in distutils I don't know what you mean by this. that looks patched with NotImplementedErrors for the offending code in docutils.parsers.rst.directives.misc. Can you when this will land

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-19 Thread Benji York
David Pratt wrote: You are probably right but just the same I'd rather see the patched version for z3 also since I am certain this will become less obvious over time if it is left the way it is. Instead of maintaining a fork of docutils, Zope 3 should (and may already, I haven't been keeping

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-19 Thread David Pratt
Benji York wrote: David Pratt wrote: You are probably right but just the same I'd rather see the patched version for z3 also since I am certain this will become less obvious over time if it is left the way it is. Instead of maintaining a fork of docutils, Zope 3 should (and may already, I

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-19 Thread Benji York
David Pratt wrote: What about the idea of maintaining a text file in the distribution specific to possible security issues. Is this worth considering for historical purposes so they do not get lost over time or implicitly understood by only a handful of people. Exactly. Any package that

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-19 Thread David Pratt
Benji York wrote: David Pratt wrote: What about the idea of maintaining a text file in the distribution specific to possible security issues. Is this worth considering for historical purposes so they do not get lost over time or implicitly understood by only a handful of people. Exactly.

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-19 Thread Jim Fulton
On Jul 19, 2006, at 8:35 AM, David Pratt wrote: Benji York wrote: David Pratt wrote: You are probably right but just the same I'd rather see the patched version for z3 also since I am certain this will become less obvious over time if it is left the way it is. Instead of maintaining a

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-19 Thread Jim Fulton
On Jul 19, 2006, at 8:47 AM, Benji York wrote: David Pratt wrote: What about the idea of maintaining a text file in the distribution specific to possible security issues. Is this worth considering for historical purposes so they do not get lost over time or implicitly understood by only

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-18 Thread David Pratt
Hi Jim. I was noticing a 0.4.0-zope in distutils that looks patched with NotImplementedErrors for the offending code in docutils.parsers.rst.directives.misc. Can you when this will land in the Zope3 trunk? Regards, David Jim Fulton wrote: On Jul 8, 2006, at 11:49 AM, David Pratt wrote:

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-18 Thread Jim Fulton
On Jul 18, 2006, at 2:55 PM, David Pratt wrote: Hi Jim. I was noticing a 0.4.0-zope in distutils I don't know what you mean by this. that looks patched with NotImplementedErrors for the offending code in docutils.parsers.rst.directives.misc. Can you when this will land in the Zope3

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-08 Thread David Pratt
Jim Fulton wrote: Recently, a serious security flaw was found in Zope 2 due to it's improper support for allowing reStructuredText to be edited through-the-web. reStructuredText has directives that allow inclusion of any file a Zope process could read and inclusion of data obtained from

Re: [Zope3-Users] Security alert: use of Through-the-Web reStructuredText

2006-07-08 Thread Jim Fulton
On Jul 8, 2006, at 11:49 AM, David Pratt wrote: Jim Fulton wrote: Recently, a serious security flaw was found in Zope 2 due to it's improper support for allowing reStructuredText to be edited through-the-web. reStructuredText has directives that allow inclusion of any file a Zope