Hash: SHA1

Michael Haubenwallner wrote:
> Tres Seaver wrote:
>> Hash: SHA1
>> Michael Haubenwallner wrote:
>>> Tres Seaver wrote:
>>>> Hash: SHA1
>>>> Jim Fulton wrote:
>>>>> Zope 3, as releases is not affected by the security hole that
>>>>> has plagued Zope 2, however, Michael Haubenwallner has pointed
>>>>> out that some add-on-products, such as zwiki and bugtracker, may
>>>>> provide TTW reST.
>>>> They appear to be "safe" for the moment, but not because they
>>>> intentionally disable file inclusion:  rather, they have a bug (they
>>>> set
>>>> the 'encoding' to 'unicode', which then causes an exception).
>>> Both restructuredText directives 'include' and 'raw' have an 'encoding'
>>> option to set the name of text encoding of the external data file/raw
>>> data (file or URL), it defaults to the document's encoding (if
>>> specified).
>>> .. include:: filename.ext
>>>   :encoding: utf-8
>>> .. raw:: html
>>>   :file: filename.ext
>>>   :encoding: utf-8
>>> should work as expected
>>> Michael
>> Verified.  Both wikis and bugtracker issues are capable of including
>> arbitrary files using that spelling (in an instance created from today's
>> Zope3 trunk, anyway).
> Zope3 accesses docutils in a single point atm:
> zope.app.renderer.rest.ReStructuredTextToHTMLRenderer.render()
> All objects created from the factory zope.source.rest are rendered here.
> It should be possible to configure the docutils parser (and its
> directives) by adjusting the 'settings_overrides' values.
> I think the same can be done (and is done already) for Zope2.x in
> lib.python.reStructuredText.render() with the 'settings' dictionary.
> That way it would be possible to make the parser usage configurable and
> no need to use a patched docutils.

In Zope2 land, the module is still available, and can be used by other
code (which may not know of that issue).  I'm *not* in favor of shipping
an un-patched docutils until we work this out.  For instance, perhaps we
should be patching docutils to make the *default* settings disable file
inclusion and 'raw';  then the trusted code which wanted to render reST
which legitimately needed those features could enable them explicitly.

- --
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to