On Jul 7, 2006, at 4:37 PM, Tres Seaver wrote:

Hash: SHA1

Jim Fulton wrote:

Zope 3, as releases is not affected by the security hole that
has plagued Zope 2, however, Michael Haubenwallner has pointed
out that some add-on-products, such as zwiki and bugtracker, may
provide TTW reST.

They appear to be "safe" for the moment, but not because they
intentionally disable file inclusion: rather, they have a bug (they set
the 'encoding' to 'unicode', which then causes an exception).

DTML Page was another possible culprit: it too is safe for the moment, because Z3's DTML does not have a handler for 'fmt="restructured- text"'.
 That is not really a comfort, because someday somebody is going to
harmonize Zope2's DTML features into Zope3's DTML; at that point we are
hosed again.

Yup, unless someone does the reST integration correctly.

There are 2 issues here:

1. That we need to warn anyone using these that there is an issue,
     including anyone who might be using a Zope 3 checkout in

2. I want to move these out of the main subversion tree.

For those of you on this list, consider yourself warned.
We should probably send out a warning more broadly though.


I think the benefit of leaving file inclusion lying around in the main
python path's version of docutils (for benefit of notional filesystem
ResT users) is far outweighed by the risks associated with it. TTW ReST is *valuable* to people: it gets used by content authors, among others.

I hear you.  I find it a hard call. It should be possible to use reST
safely without removing the feature, yet we have shown ourselves
unable to over and over again. :(

I think we need tests for any TTW reST code and those tests need to
demonstrate that file/url inclusion is disabled.


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to