-----BEGIN PGP SIGNED MESSAGE-----
Jim Fulton wrote:
> On Jul 8, 2006, at 10:09 AM, Andreas Jung wrote:
>> --On 8. Juli 2006 09:53:47 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
>>>>> Tres came up with this sledge hammer because he has no confidence
>>>>> in people's willingness to test and implement this feature properly.
>>>> I am fine with the sledge-hammer. I've never claimed that we need
>>>> to support file insertion and raw support in any way. We don't
>>>> need, we can kick it.
>>>> But removing or disabling a feature because we are possibly
>>>> incompetent would be just ridiculous.
>>> I can live with the sledge hammer for Zope 2. All I ask for is tests.
>>> If there are tests for each way of invoking reST through the web that
>>> verifies that file-inclusion isn't enabled, then it's alright with
>>> me if
>>> the sledge hammer is used to make the tests pass. I won't tolerate an
>>> untested feature with so much security risk.
>> Yes, someone has to write the tests at some time, soon.
> Right. Before 2.10.
>> As I pointed out the risk is minimal for Zope-apps because you need to
>> have access to the ZMI..
> No, it's not. Getting at arbitrary files is not acceptable from the ZMI.
Agreed. Much of Zope's security machinery would be irrelevant if we
didn't care about untrusted users entering more-or-less executable
>> so what are security concerns in this case? And file inclusion won't
>> work if the related code is stripped off...so what are your security
>> concerns in this case?
> I am concerned by the lack of tests. Whoever created the last hot fix
> was sure the problem was fixed. They were wrong and we're paying the
I'll note that tests wouldn't have helped here in the absence of a more
careful security review of docutils: none of us was aware of the 'raw'
directive as an attack vector for file inclusion until you mentioned it
the other day.
We *did* disable the vector we knew about (the 'include' directive, when
processed from a ZMI-based ReST Document). I think we can be off the
hook for the Plone version, as I think they don't call the same function
to render the text; the DTML-based version, OTOH, was our fault (I
didn't know 'fmt="restructured-text"' existed until this week).
Tres Seaver +1 202-558-7113 [EMAIL PROTECTED]
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v220.127.116.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -