-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Haubenwallner wrote:
> Tres Seaver wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Michael Haubenwallner wrote:
>>> Tres Seaver wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Jim Fulton wrote:
>>>>
>>>>> Zope 3, as releases is not affected by the security hole that
>>>>> has plagued Zope 2, however, Michael Haubenwallner has pointed
>>>>> out that some add-on-products, such as zwiki and bugtracker, may
>>>>> provide TTW reST.
>>>> They appear to be "safe" for the moment, but not because they
>>>> intentionally disable file inclusion:  rather, they have a bug (they
>>>> set
>>>> the 'encoding' to 'unicode', which then causes an exception).
>>>>
>>> Both restructuredText directives 'include' and 'raw' have an 'encoding'
>>> option to set the name of text encoding of the external data file/raw
>>> data (file or URL), it defaults to the document's encoding (if
>>> specified).
>>>
>>> .. include:: filename.ext
>>>   :encoding: utf-8
>>>
>>> .. raw:: html
>>>   :file: filename.ext
>>>   :encoding: utf-8
>>>
>>> should work as expected
>>>
>>> Michael
>>
>>
>> Verified.  Both wikis and bugtracker issues are capable of including
>> arbitrary files using that spelling (in an instance created from today's
>> Zope3 trunk, anyway).
>>
>>
> 
> Zope3 accesses docutils in a single point atm:
> zope.app.renderer.rest.ReStructuredTextToHTMLRenderer.render()
> 
> All objects created from the factory zope.source.rest are rendered here.
> It should be possible to configure the docutils parser (and its
> directives) by adjusting the 'settings_overrides' values.
> 
> I think the same can be done (and is done already) for Zope2.x in
> lib.python.reStructuredText.render() with the 'settings' dictionary.
> 
> That way it would be possible to make the parser usage configurable and
> no need to use a patched docutils.

In Zope2 land, the module is still available, and can be used by other
code (which may not know of that issue).  I'm *not* in favor of shipping
an un-patched docutils until we work this out.  For instance, perhaps we
should be patching docutils to make the *default* settings disable file
inclusion and 'raw';  then the trusted code which wanted to render reST
which legitimately needed those features could enable them explicitly.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEr6pm+gerLs4ltQ4RAhquAJ4yotGOLN5778NdQ5Fh2oO7wCRNIACfcZ3N
//xqhLuWYrUAGEU5j8B214c=
=CHum
-----END PGP SIGNATURE-----

_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to