On Jul 8, 2006, at 3:34 PM, Tres Seaver wrote:

The monkeypatch in the hotfix *might* be defeated that way, sure.  The
updated version of docutils I checked in will *not*, because it disables
file inclusion inside the source of the dangerous handlers.

Another possible fix would be to patch docutils to make the
configuration directive for file inclusion disabled by default;  that
would allow a trusted module to enable them for a given parse, without
exposing the feature for untrusted code.

I like this.

I would feel better, if we choose to maintain a hacked docutils,
to rename it so that it remains possible for an add-on to use a non- hacked

Also, if we maintain a hacked version, of course, we are taking extra responsibility on ourselves.

You seem to be the only one championing TTW reST? Are you unwilling to
write the tests necessary to keep it?  If so, it's hard to have any
sympathy for your desire to keep it.

There are way too many uses of TTW documents out there "live" to just
rip it out, I think.

Unless we have much better maintenance of this feature than we've had in the past, then we'll have no choice. Hopefully this will change.


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to