-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Haubenwallner wrote: > Tres Seaver wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Michael Haubenwallner wrote: >>> Tres Seaver wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Jim Fulton wrote: >>>> >>>>> Zope 3, as releases is not affected by the security hole that >>>>> has plagued Zope 2, however, Michael Haubenwallner has pointed >>>>> out that some add-on-products, such as zwiki and bugtracker, may >>>>> provide TTW reST. >>>> They appear to be "safe" for the moment, but not because they >>>> intentionally disable file inclusion: rather, they have a bug (they >>>> set >>>> the 'encoding' to 'unicode', which then causes an exception). >>>> >>> Both restructuredText directives 'include' and 'raw' have an 'encoding' >>> option to set the name of text encoding of the external data file/raw >>> data (file or URL), it defaults to the document's encoding (if >>> specified). >>> >>> .. include:: filename.ext >>> :encoding: utf-8 >>> >>> .. raw:: html >>> :file: filename.ext >>> :encoding: utf-8 >>> >>> should work as expected >>> >>> Michael >> >> >> Verified. Both wikis and bugtracker issues are capable of including >> arbitrary files using that spelling (in an instance created from today's >> Zope3 trunk, anyway). >> >> > > Zope3 accesses docutils in a single point atm: > zope.app.renderer.rest.ReStructuredTextToHTMLRenderer.render() > > All objects created from the factory zope.source.rest are rendered here. > It should be possible to configure the docutils parser (and its > directives) by adjusting the 'settings_overrides' values. > > I think the same can be done (and is done already) for Zope2.x in > lib.python.reStructuredText.render() with the 'settings' dictionary. > > That way it would be possible to make the parser usage configurable and > no need to use a patched docutils.
In Zope2 land, the module is still available, and can be used by other code (which may not know of that issue). I'm *not* in favor of shipping an un-patched docutils until we work this out. For instance, perhaps we should be patching docutils to make the *default* settings disable file inclusion and 'raw'; then the trusted code which wanted to render reST which legitimately needed those features could enable them explicitly. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v126.96.36.199 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEr6pm+gerLs4ltQ4RAhquAJ4yotGOLN5778NdQ5Fh2oO7wCRNIACfcZ3N //xqhLuWYrUAGEU5j8B214c= =CHum -----END PGP SIGNATURE----- _______________________________________________ Zope3-dev mailing list Zope3firstname.lastname@example.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com