- reStructuredText/ZReST: setting raw_enabled to 0 for security reasons

9b6892cc · Andreas Jung · 546f3456 · 9b6892cc · 9b6892cc · 9b6892cc
Commit 9b6892cc authored Jul 05, 2006 by Andreas Jung
Showing with 7 additions and 0 deletions

doc/CHANGES.txt doc/CHANGES.txt +3 -0

lib/python/Products/ZReST/ZReST.py lib/python/Products/ZReST/ZReST.py +3 -0

lib/python/reStructuredText/__init__.py lib/python/reStructuredText/__init__.py +1 -0

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -18,6 +18,9 @@ Zope Changes

    Bugs fixed

+      - reStructuredText/ZReST: setting raw_enabled to 0 for security
+        reasons
+
      - OFS Application: Removed deprecation warnings added in Zope 2.8.5.
        The warning period starts in Zope 2.9.0.


--- a/lib/python/Products/ZReST/ZReST.py
+++ b/lib/python/Products/ZReST/ZReST.py
@@ -210,6 +210,9 @@ class ZReST(Item, PropertyManager, Historical, Implicit, Persistent):
            # disallow use of the .. include directive for security reasons
            pub.settings.file_insertion_enabled = 0

+            # disallow insertion of raw data for security reasons
+            pub.settings.raw_enabled = 0
+
            # don't break if we get errors
            pub.settings.halt_level = 6


--- a/lib/python/reStructuredText/__init__.py
+++ b/lib/python/reStructuredText/__init__.py
@@ -75,6 +75,7 @@ def render(src,
        settings['language_code'] = language_code
    settings['language_code'] = language_code
    settings['file_insertion_enabled '] = 0
+    settings['raw_enabled'] = 0
    # starting level for <H> elements:
    settings['initial_header_level'] = initial_header_level + 1
    # set the reporting level to something sane: