-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Fulton wrote: > > On Jul 8, 2006, at 10:09 AM, Andreas Jung wrote: > >> >> >> --On 8. Juli 2006 09:53:47 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote: > ... >>>>> Tres came up with this sledge hammer because he has no confidence >>>>> in people's willingness to test and implement this feature properly. >>>> >>>> I am fine with the sledge-hammer. I've never claimed that we need >>>> to support file insertion and raw support in any way. We don't >>>> need, we can kick it. >>>> But removing or disabling a feature because we are possibly >>>> incompetent would be just ridiculous. >>> >>> I can live with the sledge hammer for Zope 2. All I ask for is tests. >>> >>> If there are tests for each way of invoking reST through the web that >>> verifies that file-inclusion isn't enabled, then it's alright with >>> me if >>> the sledge hammer is used to make the tests pass. I won't tolerate an >>> untested feature with so much security risk. >> >> Yes, someone has to write the tests at some time, soon. > > Right. Before 2.10. > >> As I pointed out the risk is minimal for Zope-apps because you need to >> have access to the ZMI.. > > No, it's not. Getting at arbitrary files is not acceptable from the ZMI.
Agreed. Much of Zope's security machinery would be irrelevant if we didn't care about untrusted users entering more-or-less executable content TTW. >> so what are security concerns in this case? And file inclusion won't >> work if the related code is stripped off...so what are your security >> concerns in this case? > > I am concerned by the lack of tests. Whoever created the last hot fix > was sure the problem was fixed. They were wrong and we're paying the > price. I'll note that tests wouldn't have helped here in the absence of a more careful security review of docutils: none of us was aware of the 'raw' directive as an attack vector for file inclusion until you mentioned it the other day. We *did* disable the vector we knew about (the 'include' directive, when processed from a ZMI-based ReST Document). I think we can be off the hook for the Plone version, as I think they don't call the same function to render the text; the DTML-based version, OTOH, was our fault (I didn't know 'fmt="restructured-text"' existed until this week). Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v188.8.131.52 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEsAot+gerLs4ltQ4RAuiGAKCfqNcNx2g9Ffw1879ornZVWLmpHACfUZXv 6c3PGtRAwtXdY7xFgmGE76U= =7tjp -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )