Merged philikon-zope2.11-with-standard-docutils:

- Ship Zope with a standard docutils 0.4 distribution, instead of a patched one. Both trusted and untrusted code are still protected against unwanted file inclusion.

Merged philikon-zope2.11-with-standard-docutils:
- Ship Zope with a standard docutils 0.4 distribution, instead of a patched one. Both trusted and untrusted code are still protected against unwanted file inclusion.
9efe1a50 · Philipp von Weitershausen · a50fab40 · 9efe1a50 · 9efe1a50 · 9efe1a50
Commit 9efe1a50 authored Jul 25, 2007 by Philipp von Weitershausen
6 changed files
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -9,6 +9,10 @@ Zope Changes
    Restructuring
+      - Ship Zope with a standard docutils 0.4 distribution, instead
+        of a patched one.  Both trusted and untrusted code are still
+        protected against unwanted file inclusion.
      - Removed ZGadflyDA (was deprecated since Zope 2.9). The code is
        still available from svn.zope.org/Products.ZGadflyDA.

--- a/lib/python/DocumentTemplate/tests/testDTML.py
+++ b/lib/python/DocumentTemplate/tests/testDTML.py
@@ -16,7 +16,7 @@
 __rcs_id__='$Id$'
 __version__='$Revision: 1.15 $'[11:-2]
-import sys, os
+import sys, os, cgi
 import unittest
 if __name__=='__main__':
@@ -43,6 +43,14 @@ class D:
 def d(**kw): return kw
+docutils_include_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
+<p>&quot;include&quot; directive disabled.</p>'''
+docutils_raw_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
+<p>&quot;raw&quot; directive disabled.</p>'''
 class PukeError(Exception):
    """Exception raised in test code."""
@@ -340,38 +348,51 @@ foo bar
        source = '.. include:: /etc/passwd'
        html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
        html._vars['foo'] = source
-        self.assertRaises(NotImplementedError, html)
+        result = html()
-    def test_fmt_reST_raw_directive_disabled(self):
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_include_warning in result)
+    def test_fmt_reST_raw_directive_disabled(self):
        EXPECTED = '<h1>HELLO WORLD</h1>'
        source = '.. raw:: html\n\n  %s\n' % EXPECTED
        html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
        html._vars['foo'] = source
+        result = html()
-        result = html()       # don't raise, but don't work either
+        # The raw: directive hasn't been rendered, it remains
-        self.failIf(EXPECTED in result)
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
-        self.failUnless("&quot;raw&quot; directive disabled" in result)
+        self.assert_(EXPECTED not in result)
-        from cgi import escape
+        self.assert_(cgi.escape(EXPECTED) in result)
-        self.failUnless(escape(EXPECTED) in result)
+        self.assert_(docutils_raw_warning in result)
    def test_fmt_reST_raw_directive_file_option_raises(self):
        source = '.. raw:: html\n  :file: inclusion.txt'
        html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
        html._vars['foo'] = source
+        result = html()
-        self.assertRaises(NotImplementedError, html, source)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
    def test_fmt_reST_raw_directive_url_option_raises(self):
        source = '.. raw:: html\n  :url: http://www.zope.org'
        html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
        html._vars['foo'] = source
+        result = html()
-        self.assertRaises(NotImplementedError, html, source)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
    def testPropogatedError(self):

--- a/lib/python/Products/ZReST/ZReST.py
+++ b/lib/python/Products/ZReST/ZReST.py
@@ -193,16 +193,16 @@ class ZReST(Item, PropertyManager, Historical, Implicit, Persistent):
        ''' Render the source to HTML
        '''
        if self._v_formatted is None:
+            warnings = self._v_warnings = Warnings()
            settings = {
                'halt_level': 6,
-                'report_level' : self.report_level,
+                'report_level' : int(self.report_level),
                'input_encoding': self.input_encoding,
                'output_encoding': self.output_encoding,
                'initial_header_level' : 1,
                'stylesheet' : self.stylesheet,
                'stylesheet_path' : None,
-                'pub.settings.warning_stream' :  Warnings(),
+                'warning_stream' : warnings,
                'raw_enabled' : 0,
                'file_insertion_enabled' : 0,
                }

--- a/lib/python/Products/ZReST/tests/test_ZReST.py
+++ b/lib/python/Products/ZReST/tests/test_ZReST.py
@@ -5,6 +5,7 @@
 $Id$
 """
 import unittest
+import cgi
 import tempfile
 txt = """Hello World
@@ -26,6 +27,9 @@ csv_text = """bin:x:1:1:bin:/bin:/bin/bash
 daemon:x:2:2:Daemon:/sbin:/bin/bash
 """
+docutils_include_warning = '(WARNING/2) "include" directive disabled.'
+docutils_raw_warning = '(WARNING/2) "raw" directive disabled.'
 class TestZReST(unittest.TestCase):
    def _getTargetClass(self):
@@ -78,32 +82,51 @@ class TestZReST(unittest.TestCase):
    def test_include_directive_raises(self):
        resty = self._makeOne()
        resty.source = 'hello world\n .. include:: /etc/passwd'
-        self.assertRaises(NotImplementedError, resty.render)
+        result = resty.render()
+        warnings = ''.join(resty._v_warnings.messages)
-    def test_raw_directive_disabled(self):
-        EXPECTED = '<h1>HELLO WORLD</h1>'
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(docutils_include_warning in warnings)
+    def test_raw_directive_disabled(self):
        resty = self._makeOne()
+        EXPECTED = '<h1>HELLO WORLD</h1>'
        resty.source = '.. raw:: html\n\n  %s\n' % EXPECTED
-        result = resty.render() # don't raise, but don't work either
+        result = resty.render()
-        self.failIf(EXPECTED in result)
+        warnings = ''.join(resty._v_warnings.messages)
-    def test_raw_directive_file_directive_raises(self):
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(EXPECTED not in result)
+        self.assert_(cgi.escape(EXPECTED) in result)
+        self.assert_(docutils_raw_warning in warnings)
+    def test_raw_directive_file_directive_raises(self):
        resty = self._makeOne()
        resty.source = '.. raw:: html\n  :file: inclusion.txt'
-        self.assertRaises(NotImplementedError, resty.render)
+        result = resty.render()
+        warnings = ''.join(resty._v_warnings.messages)
-    def test_raw_directive_url_directive_raises(self):
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(docutils_raw_warning in warnings)
+    def test_raw_directive_url_directive_raises(self):
        resty = self._makeOne()
        resty.source = '.. raw:: html\n  :url: http://www.zope.org/'
-        self.assertRaises(NotImplementedError, resty.render)
+        result = resty.render()
+        warnings = ''.join(resty._v_warnings.messages)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(docutils_raw_warning in warnings)
    def test_csv_table_file_option_raise(self):
        resty = self._makeOne()
        csv_file = self._csvfile()
        resty.source = '.. csv-table:: \n  :file: %s' % csv_file

--- a/lib/python/reStructuredText/__init__.py
+++ b/lib/python/reStructuredText/__init__.py
@@ -28,6 +28,15 @@ Please remove docutils from %(path)s and replace it with a new version. You
 can download docutils at http://docutils.sourceforge.net/#download.
 """ % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
+# Disable inclusion of files for security reasons.  We do this by
+# changing the default value of the ``file_insertion_enabled``
+# parameter to False.
+import docutils.parsers.rst
+for title, options, conf in docutils.parsers.rst.Parser.settings_spec[2]:
+    if options == ['--file-insertion-enabled']:
+        conf['default'] = 0
+        break
 import sys, os, locale
 from App.config import getConfiguration
 from docutils.core import publish_parts

--- a/lib/python/reStructuredText/tests/testReST.py
+++ b/lib/python/reStructuredText/tests/testReST.py
 # -*- coding: iso-8859-15 -*-
 import unittest
+import cgi
-from reStructuredText import HTML
+from docutils.core import publish_parts
+from reStructuredText import HTML, Warnings
 txt = """Hello World
@@ -20,6 +21,15 @@ Von V
 """
+docutils_include_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 2)</p>
+<p>&quot;include&quot; directive disabled.</p>'''
+docutils_raw_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
+<p>&quot;raw&quot; directive disabled.</p>'''
 class TestReST(unittest.TestCase):
    def testRoman(self):
@@ -81,42 +91,67 @@ text
        output = HTML(input)
        self.assertEquals(output, expected) 
+    def test_file_insertion_off_by_default(self):
+        directive = '.. include:: /etc/passwd'
+        source = 'hello world\n %s' % directive
+        parts = publish_parts(source=source, writer_name='html4css1',
+                              settings_overrides={'warning_stream': Warnings()})
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(directive in parts['body'])
+        self.assert_(docutils_include_warning in parts['body'])
    def test_include_directive_raises(self):
-        source = 'hello world\n .. include:: /etc/passwd'
+        directive = '.. include:: /etc/passwd'
-        self.assertRaises(NotImplementedError, HTML, source)
+        source = 'hello world\n %s' % directive
+        result = HTML(source)
-    def test_raw_directive_disabled(self):
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(directive in result)
+        self.assert_(docutils_include_warning in result)
+    def test_raw_directive_disabled(self):
        EXPECTED = '<h1>HELLO WORLD</h1>'
        source = '.. raw:: html\n\n  %s\n' % EXPECTED
        result = HTML(source)       # don't raise, but don't work either
-        self.failIf(EXPECTED in result)
-        self.failUnless("&quot;raw&quot; directive disabled" in result)
+        # The raw: directive hasn't been rendered, it remains
-        from cgi import escape
+        # verbatimly in the rendered output.  Instead a warning
-        self.failUnless(escape(EXPECTED) in result)
+        # message is presented:
+        self.assert_(EXPECTED not in result)
+        self.assert_(cgi.escape(EXPECTED) in result)
+        self.assert_(docutils_raw_warning in result)
    def test_raw_directive_file_option_raises(self):
        source = '.. raw:: html\n  :file: inclusion.txt'
-        self.assertRaises(NotImplementedError, HTML, source)
+        result = HTML(source)
-    def test_raw_directive_url_option_raises(self):
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
+    def test_raw_directive_url_option_raises(self):
        source = '.. raw:: html\n  :url: http://www.zope.org'
-        self.assertRaises(NotImplementedError, HTML, source)
+        result = HTML(source)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
    def test_csv_table_file_option_raise(self):
        source = '.. csv-table:: \n  :file: inclusion.txt'
        result = HTML(source)
        self.failUnless('File and URL access deactivated' in result)
    def test_csv_table_url_option_raise(self):
        source = '.. csv-table:: \n  :url: http://www.evil.org'
        result = HTML(source)
        self.failUnless('File and URL access deactivated' in result)