-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Fulton wrote:
> Zope 3, as releases is not affected by the security hole that > has plagued Zope 2, however, Michael Haubenwallner has pointed > out that some add-on-products, such as zwiki and bugtracker, may > provide TTW reST. They appear to be "safe" for the moment, but not because they intentionally disable file inclusion: rather, they have a bug (they set the 'encoding' to 'unicode', which then causes an exception). DTML Page was another possible culprit: it too is safe for the moment, because Z3's DTML does not have a handler for 'fmt="restructured-text"'. That is not really a comfort, because someday somebody is going to harmonize Zope2's DTML features into Zope3's DTML; at that point we are hosed again. > There are 2 issues here: > > 1. That we need to warn anyone using these that there is an issue, > including anyone who might be using a Zope 3 checkout in > production. > > 2. I want to move these out of the main subversion tree. > > For those of you on this list, consider yourself warned. > We should probably send out a warning more broadly though. > > Thoughts? I think the benefit of leaving file inclusion lying around in the main python path's version of docutils (for benefit of notional filesystem ResT users) is far outweighed by the risks associated with it. TTW ReST is *valuable* to people: it gets used by content authors, among others. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFErsYB+gerLs4ltQ4RAjeCAKC20y9dt1CLJNzYH/QC3suafMdeoACfV1O7 C/2DHO5D+8hwacuMcvw8w5U= =qCze -----END PGP SIGNATURE----- _______________________________________________ Zope3-dev mailing list Zope3-dev@zope.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com