Hash: SHA1

Jim Fulton wrote:

> Zope 3, as releases is not affected by the security hole that
> has plagued Zope 2, however, Michael Haubenwallner has pointed
> out that some add-on-products, such as zwiki and bugtracker, may
> provide TTW reST.

They appear to be "safe" for the moment, but not because they
intentionally disable file inclusion:  rather, they have a bug (they set
the 'encoding' to 'unicode', which then causes an exception).

DTML Page was another possible culprit:  it too is safe for the moment,
because Z3's DTML does not have a handler for 'fmt="restructured-text"'.
 That is not really a comfort, because someday somebody is going to
harmonize Zope2's DTML features into Zope3's DTML;  at that point we are
hosed again.

> There are 2 issues here:
> 1. That we need to warn anyone using these that there is an issue,
>      including anyone who might be using a Zope 3 checkout in
>     production.
> 2. I want to move these out of the main subversion tree.
> For those of you on this list, consider yourself warned.
> We should probably send out a warning more broadly though.
> Thoughts?

I think the benefit of leaving file inclusion lying around in the main
python path's version of docutils (for benefit of notional filesystem
ResT users) is far outweighed by the risks associated with it.  TTW ReST
is *valuable* to people:  it gets used by content authors, among others.

- --
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to