Recently, a serious security flaw was found in Zope 2 due to it's improper support for allowing reStructuredText to be edited through- the-web. reStructuredText has directives that allow inclusion of any file a Zope process could read and inclusion of data obtained from fetching arbitrary URLs. In a trusted environment, these directives have legitimate uses. The feature of including files and URL results should not be enabled for text entered from untrusted sources, which applies to most through-the-web interactions.

The recent hotfix:

addresses the problem for Zope 2.

It is safe to allow reStructuredText through the web with care. The inclusion of files or URL results can be disabled, but the programmer must explicitly disable the feature. It is not disabled by default. It is also critical that a developer who exposes through-the-web reStructuredText have tests to verify that the file/url inclusion feature has been disabled.

Zope 3 itself, as released, doesn't have this problem because it doesn't allow reST entry through the web. There are third-party applications, however, including 2 packages in the Zope 3 subversion tree that do have this problem. I strongly urge you to avoid using any Zope package that allows through-the-web input of reStructuredText unless you can verify that file/url has been properly disabled.

The zwiki and bugtracker packages do not currently disable file/url inclusion and should not be used in situations in which users who are not highly trusted have access to these applications. If you are using a Zope 3 checkout, these packages are currently included and enabled. I plan to remove these packages from the Zope 3 repository tree within the next few hours. If you are using a checkout-based Zope 3 installation that exposes these packages to untrusted users, you are strongly urged to disable these packages by removing the following files from your package-includes directory:


Removing these files will also avoid problems when you update your checkout later, as these will refer to non-existent packages.


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714         
Zope Corporation   

Zope-Announce maillist  -

 Zope-Announce for Announcements only - no discussions

(Related lists - Users:
Developers: )

Reply via email to