-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Fulton wrote: > > On Jul 8, 2006, at 9:17 AM, Andreas Jung wrote: > >> >>> >>> On Jul 8, 2006, at 8:12 AM, Andreas Jung wrote: >>> >>>> >>>> >>>> --On 8. Juli 2006 07:45:01 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote: >>>> >>>> Only if there is no other option. Tres' patch seems to resolve this >>>> issue and with further testing there is no need to remove the >>>> functionality. >>> >>> "Seems" isn't good enough. It's not even close. The hot fix last fall >>> "seemed" to fix the problem. :( >> >> That's is still not an argument. I'll agree with you when we are all >> convinced that we are all unable to fix this issue if a reasonable >> effort or when come to conclusion that Docutils is a problem by >> itself...sorry, but we are not at that point so far. >> >>>> >>>>> Otherwise it has to go. >>>> >>>> No :-) >>> >>> Wrong. Sorry, I'll invoke Pope if I have to. >> >> Sorry Jim, that's weak. See above. I'll accept the decision of the >> Pope as long as it is comprehensible...so far it is not. > > Maybe you aren't listening. > >>> Tres came up with this sledge hammer because he has no confidence >>> in people's willingness to test and implement this feature properly. >> >> I am fine with the sledge-hammer. I've never claimed that we need to >> support file insertion and raw support in any way. We don't need, we >> can kick it. >> But removing or disabling a feature because we are possibly >> incompetent would be just ridiculous. > > I can live with the sledge hammer for Zope 2. All I ask for is tests. > > If there are tests for each way of invoking reST through the web that > verifies that file-inclusion isn't enabled, then it's alright with me if > the sledge hammer is used to make the tests pass. I won't tolerate an > untested feature with so much security risk. > > I'll also note that the sledgehammer might not itself be safe in the > presense of the various reload products for Zope 3. Would Tres' patch > be defeated by reloading docutils.parsers.rst.directives.misc? Is there > a chance that a reload product > could reload this module and undo the fix? I dunno. It is worrisome.
The monkeypatch in the hotfix *might* be defeated that way, sure. The updated version of docutils I checked in will *not*, because it disables file inclusion inside the source of the dangerous handlers. Another possible fix would be to patch docutils to make the configuration directive for file inclusion disabled by default; that would allow a trusted module to enable them for a given parse, without exposing the feature for untrusted code. > You seem to be the only one championing TTW reST? Are you unwilling to > write the tests necessary to keep it? If so, it's hard to have any > sympathy for your desire to keep it. There are way too many uses of TTW documents out there "live" to just rip it out, I think. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v18.104.22.168 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEsAjS+gerLs4ltQ4RAvoaAJ0Tsv3mfKB9vnJ0ugH4lQtrqBxFnQCfWMpQ qrxYmHZNAItTXxJoUx1Kwfc= =DRLx -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )