-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Fulton wrote: > > On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote: > ... >> I'll note that tests wouldn't have helped here in the absence of a more >> careful security review of docutils: none of us was aware of the 'raw' >> directive as an attack vector for file inclusion until you mentioned it >> the other day. > > Except that, as you discovered, it was *not* an attack vector. setting > file_insertion_enabled to False disables file insertion via the raw > directive too. > The real problem was that you could still use the include directive to > include files via DTML and Plone. We didn't have a test to demonstrate > that you couldn't use file insertion from DTML. And, obviously, the > author of the Plone feature didn't have tests either. > > I agree that tests are not enough. The person who brought this issue up > at EuroPython had a good point that whenever we use 3rd-party code, we > need to consider it's security implications. We didn't even read the > documentation for reST when we incorporated this feature.
I think we picked up the feature (file inclusion) unnoticed in an upgrade (but could be wrong). Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEsQf/+gerLs4ltQ4RAnXuAJ0QCeVnsG2XDzUFnYP9ffxr4Ab1ZwCgtvJ+ H4/5PeonI01DXMoy9+DskK0= =m94+ -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )