-----BEGIN PGP SIGNED MESSAGE-----
Jim Fulton wrote:
> On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
>> I'll note that tests wouldn't have helped here in the absence of a more
>> careful security review of docutils: none of us was aware of the 'raw'
>> directive as an attack vector for file inclusion until you mentioned it
>> the other day.
> Except that, as you discovered, it was *not* an attack vector. setting
> file_insertion_enabled to False disables file insertion via the raw
> directive too.
> The real problem was that you could still use the include directive to
> include files via DTML and Plone. We didn't have a test to demonstrate
> that you couldn't use file insertion from DTML. And, obviously, the
> author of the Plone feature didn't have tests either.
> I agree that tests are not enough. The person who brought this issue up
> at EuroPython had a good point that whenever we use 3rd-party code, we
> need to consider it's security implications. We didn't even read the
> documentation for reST when we incorporated this feature.
I think we picked up the feature (file inclusion) unnoticed in an
upgrade (but could be wrong).
Tres Seaver +1 202-558-7113 [EMAIL PROTECTED]
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v220.127.116.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -