--On 27. März 2008 20:42:50 +0200 Marius Gedminas <[EMAIL PROTECTED]> wrote:
On Wed, Mar 26, 2008 at 09:20:27PM +0100, Dieter Maurer wrote:Timothy Selivanow wrote at 2008-3-25 17:12 -0700: > ... > Now when I say "rip out", I don't mean repackage (make a sub RPM), I > mean remove from the RPM that I am making. I don't want to provide a > "new" Docutils. That Zope ships with its own "Docutils" comes from the fact that the standard one has a big security hole.Which one? The one that lets you embed any file on the filesystem into a web page? http://docutils.sourceforge.net/docs/howto/security.html I didn't know Zope's bundled version of docutils fixed that. In any case, the src/docutils in the Zope 3.2 tree either doesn't have the fix, or it doesn't work. I tested it and ended up closing that hole in an application myself.
At least Zope 2 uses Docutils with the related options disabled. No idea about Zope 3.2. -aj
Description: PGP signature
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )