On Jul 10, 2006, at 3:16 AM, Tres Seaver wrote:
As Florent pointed out, long experience with text processing systems on
Unix (Tex, postscript, etc.) says that enabling file inclusion by
default is a security hole.  Leaving it enabled by default makes
docutils at least partly to blame for such holes (under a doctricne of
"attractive nuisance").  If, OTOH,  the downstream programmer had to
explicitly enable the risky behavior, then any breach would be *that
programmer's* fault.

I agree that, for the use case of TTW text entry, it would be better if file-inclusion was disabled by default, however, docutils wasn't designed for TTW text entry. You could try to lobby for a change, although I don't think you'd have much luck.

Perhaps we could lobby for an API to change the default. Then Zope could change the default though a supported API. I think there is some chance for getting such an API included.

As far as programmer fault, it is the programmers fault to use a 3rd- party library without knowing it's security implications. The docutils security hole in Zope is *our* fault, not docutils. There isn't a security hole in docutils when used as intended. It was our faulure to expose TTW reST without reviewing all of the features to find out if they were problematic. It was our fault, once we found out that there was a problem to not test our fix adequately.


Jim Fulton                      mailto:[EMAIL PROTECTED]                Python 
CTO                             (540) 361-1714                  
Zope Corporation        http://www.zope.com             http://www.zope.org

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to