Jim Fulton wrote:
>> You mean auditing. Testing would not help imho. Testing
>> only checks if expected behavior still works. And nobody
>> expects the spanish inquisiton *wink* ;)
> You can test that trying to do fil-inclusion fails.

For example if I'd were the one who would have written
the naive test - I would not have known a file inclusion
feature even exists or is supposed to be exposed to
reST. So my test would not have tested it. So we had
perfectly tests for all the reST things we want and
expect but the hole would exist anyway.

To cut a long story short, I guess the current
fix can work or there can be other holes
(which we constantly would not be aware no matter
how many tests tell us the file inclusion does
not work anymore).

So whats the solution? Audit of the docutils
package? Putting it into restricted environment
like the other template engines?

Inclusion of own docutils like, but audited

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to