On Jul 7, 2006, at 4:37 PM, Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Jim Fulton wrote:
Zope 3, as releases is not affected by the security hole that
has plagued Zope 2, however, Michael Haubenwallner has pointed
out that some add-on-products, such as zwiki and bugtracker, may
provide TTW reST.
They appear to be "safe" for the moment, but not because they
intentionally disable file inclusion: rather, they have a bug
the 'encoding' to 'unicode', which then causes an exception).
DTML Page was another possible culprit: it too is safe for the
because Z3's DTML does not have a handler for 'fmt="restructured-
That is not really a comfort, because someday somebody is going to
harmonize Zope2's DTML features into Zope3's DTML; at that point
Yup, unless someone does the reST integration correctly.
There are 2 issues here:
1. That we need to warn anyone using these that there is an issue,
including anyone who might be using a Zope 3 checkout in
2. I want to move these out of the main subversion tree.
For those of you on this list, consider yourself warned.
We should probably send out a warning more broadly though.
I think the benefit of leaving file inclusion lying around in the main
python path's version of docutils (for benefit of notional filesystem
ResT users) is far outweighed by the risks associated with it. TTW
is *valuable* to people: it gets used by content authors, among
I hear you. I find it a hard call. It should be possible to use reST
safely without removing the feature, yet we have shown ourselves
unable to over and over again. :(
I think we need tests for any TTW reST code and those tests need to
demonstrate that file/url inclusion is disabled.
Jim Fulton mailto:[EMAIL PROTECTED] Python
CTO (540) 361-1714
Zope Corporation http://www.zope.com http://www.zope.org
Zope3-dev mailing list