Tres Seaver wrote:
Another possible fix would be to patch docutils to make the
configuration directive for file inclusion disabled by default;  that
would allow a trusted module to enable them for a given parse, without
exposing the feature for untrusted code.

Which should be how upstream docutils should be coded in the first place.

That file inclusion is allowed by default is beyond me, when the experience of many other systems like TeX or PostScript show that it's a huge security hole.


Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   [EMAIL PROTECTED]
Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to