-----BEGIN PGP SIGNED MESSAGE-----
Michael Haubenwallner wrote:
> Tres Seaver wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Michael Haubenwallner wrote:
>>> Tres Seaver wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> Jim Fulton wrote:
>>>>> Zope 3, as releases is not affected by the security hole that
>>>>> has plagued Zope 2, however, Michael Haubenwallner has pointed
>>>>> out that some add-on-products, such as zwiki and bugtracker, may
>>>>> provide TTW reST.
>>>> They appear to be "safe" for the moment, but not because they
>>>> intentionally disable file inclusion: rather, they have a bug (they
>>>> the 'encoding' to 'unicode', which then causes an exception).
>>> Both restructuredText directives 'include' and 'raw' have an 'encoding'
>>> option to set the name of text encoding of the external data file/raw
>>> data (file or URL), it defaults to the document's encoding (if
>>> .. include:: filename.ext
>>> :encoding: utf-8
>>> .. raw:: html
>>> :file: filename.ext
>>> :encoding: utf-8
>>> should work as expected
>> Verified. Both wikis and bugtracker issues are capable of including
>> arbitrary files using that spelling (in an instance created from today's
>> Zope3 trunk, anyway).
> Zope3 accesses docutils in a single point atm:
> All objects created from the factory zope.source.rest are rendered here.
> It should be possible to configure the docutils parser (and its
> directives) by adjusting the 'settings_overrides' values.
> I think the same can be done (and is done already) for Zope2.x in
> lib.python.reStructuredText.render() with the 'settings' dictionary.
> That way it would be possible to make the parser usage configurable and
> no need to use a patched docutils.
In Zope2 land, the module is still available, and can be used by other
code (which may not know of that issue). I'm *not* in favor of shipping
an un-patched docutils until we work this out. For instance, perhaps we
should be patching docutils to make the *default* settings disable file
inclusion and 'raw'; then the trusted code which wanted to render reST
which legitimately needed those features could enable them explicitly.
Tres Seaver +1 202-558-7113 [EMAIL PROTECTED]
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v220.127.116.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -