On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of a
more
careful security review of docutils: none of us was aware of the
'raw'
directive as an attack vector for file inclusion until you
mentioned it
the other day.
Except that, as you discovered, it was *not* an attack vector.
setting file_insertion_enabled to False disables file insertion via
the raw directive too.
The real problem was that you could still use the include directive
to include files via DTML and Plone. We didn't have a test to
demonstrate that you couldn't use file insertion from DTML. And,
obviously, the author of the Plone feature didn't have tests either.
I agree that tests are not enough. The person who brought this issue
up at EuroPython had a good point that whenever we use 3rd-party
code, we need to consider it's security implications. We didn't even
read the documentation for reST when we incorporated this feature.
Jim
--
Jim Fulton mailto:[EMAIL PROTECTED] Python
Powered!
CTO (540) 361-1714
http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )