On Jul 9, 2006, at 9:43 AM, Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Fulton wrote:
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of
a more
careful security review of docutils: none of us was aware of the
'raw'
directive as an attack vector for file inclusion until you
mentioned it
the other day.
Except that, as you discovered, it was *not* an attack vector.
setting
file_insertion_enabled to False disables file insertion via the raw
directive too.
The real problem was that you could still use the include
directive to
include files via DTML and Plone. We didn't have a test to
demonstrate
that you couldn't use file insertion from DTML. And, obviously, the
author of the Plone feature didn't have tests either.
I agree that tests are not enough. The person who brought this
issue up
at EuroPython had a good point that whenever we use 3rd-party
code, we
need to consider it's security implications. We didn't even read the
documentation for reST when we incorporated this feature.
I think we picked up the feature (file inclusion) unnoticed in an
upgrade (but could be wrong).
I dunno. If this is so, why didn't the person who incorporated the
new version check for new features that might be harmful?
That doesn't change the fact that when we found out about the threat
last fall, we didn't check all of the places in Zope where we were
using reST. You might say that this was because the person who did
the hot fix didn't know about all of the places we were using reST.
But that just illustrates that our current approach of "everyone is
responsible
for everything" or, cynically, "no one is responsible for anything"
isn't working.
Jim
--
Jim Fulton mailto:[EMAIL PROTECTED] Python
Powered!
CTO (540) 361-1714
http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope-Dev maillist - [email protected]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
