Merged philikon-zope2.11-with-standard-docutils:

      - Ship Zope with a standard docutils 0.4 distribution, instead
        of a patched one.  Both trusted and untrusted code are still
        protected against unwanted file inclusion.

doc/CHANGES.txt

@@ -9,6 +9,10 @@ Zope Changes
 
     Restructuring
 
+      - Ship Zope with a standard docutils 0.4 distribution, instead
+        of a patched one.  Both trusted and untrusted code are still
+        protected against unwanted file inclusion.
+
       - Removed ZGadflyDA (was deprecated since Zope 2.9). The code is
         still available from svn.zope.org/Products.ZGadflyDA.
 

lib/python/DocumentTemplate/tests/testDTML.py

@@ -16,7 +16,7 @@
 __rcs_id__='$Id$'
 __version__='$Revision: 1.15 $'[11:-2]
 
-import sys, os
+import sys, os, cgi
 import unittest
 
 if __name__=='__main__':
@@ -43,6 +43,14 @@ class D:
 
 def d(**kw): return kw
 
+docutils_include_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
+<p>&quot;include&quot; directive disabled.</p>'''
+
+docutils_raw_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
+<p>&quot;raw&quot; directive disabled.</p>'''
+
 class PukeError(Exception):
     """Exception raised in test code."""
 
@@ -340,38 +348,51 @@ foo bar
         source = '.. include:: /etc/passwd'
         html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
         html._vars['foo'] = source
-        self.assertRaises(NotImplementedError, html)
+        result = html()
 
-    def test_fmt_reST_raw_directive_disabled(self):
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_include_warning in result)
 
+    def test_fmt_reST_raw_directive_disabled(self):
         EXPECTED = '<h1>HELLO WORLD</h1>'
-
         source = '.. raw:: html\n\n  %s\n' % EXPECTED
         html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
         html._vars['foo'] = source
+        result = html()
 
-        result = html()       # don't raise, but don't work either
-        self.failIf(EXPECTED in result)
-
-        self.failUnless("&quot;raw&quot; directive disabled" in result)
-        from cgi import escape
-        self.failUnless(escape(EXPECTED) in result)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(EXPECTED not in result)
+        self.assert_(cgi.escape(EXPECTED) in result)
+        self.assert_(docutils_raw_warning in result)
 
     def test_fmt_reST_raw_directive_file_option_raises(self):
-
         source = '.. raw:: html\n  :file: inclusion.txt'
         html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
         html._vars['foo'] = source
+        result = html()
 
-        self.assertRaises(NotImplementedError, html, source)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
 
     def test_fmt_reST_raw_directive_url_option_raises(self):
-
         source = '.. raw:: html\n  :url: http://www.zope.org'
         html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
         html._vars['foo'] = source
+        result = html()
 
-        self.assertRaises(NotImplementedError, html, source)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
 
     def testPropogatedError(self):
 

lib/python/Products/ZReST/ZReST.py

@@ -193,16 +193,16 @@ class ZReST(Item, PropertyManager, Historical, Implicit, Persistent):
         ''' Render the source to HTML
         '''
         if self._v_formatted is None:
-
+            warnings = self._v_warnings = Warnings()
             settings = {
                 'halt_level': 6,
-                'report_level' : self.report_level,
+                'report_level' : int(self.report_level),
                 'input_encoding': self.input_encoding,
                 'output_encoding': self.output_encoding,
                 'initial_header_level' : 1,
                 'stylesheet' : self.stylesheet,
                 'stylesheet_path' : None,
-                'pub.settings.warning_stream' :  Warnings(),
+                'warning_stream' : warnings,
                 'raw_enabled' : 0,
                 'file_insertion_enabled' : 0,
                 }

lib/python/Products/ZReST/tests/test_ZReST.py

@@ -5,6 +5,7 @@
 $Id$
 """
 import unittest
+import cgi
 import tempfile
 
 txt = """Hello World
@@ -26,6 +27,9 @@ csv_text = """bin:x:1:1:bin:/bin:/bin/bash
 daemon:x:2:2:Daemon:/sbin:/bin/bash
 """
 
+docutils_include_warning = '(WARNING/2) "include" directive disabled.'
+docutils_raw_warning = '(WARNING/2) "raw" directive disabled.'
+
 class TestZReST(unittest.TestCase):
 
     def _getTargetClass(self):
@@ -78,32 +82,51 @@ class TestZReST(unittest.TestCase):
     def test_include_directive_raises(self):
         resty = self._makeOne()
         resty.source = 'hello world\n .. include:: /etc/passwd'
-        self.assertRaises(NotImplementedError, resty.render)
-
-    def test_raw_directive_disabled(self):
+        result = resty.render()
+        warnings = ''.join(resty._v_warnings.messages)
 
-        EXPECTED = '<h1>HELLO WORLD</h1>'
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(docutils_include_warning in warnings)
 
+    def test_raw_directive_disabled(self):
         resty = self._makeOne()
+        EXPECTED = '<h1>HELLO WORLD</h1>'
         resty.source = '.. raw:: html\n\n  %s\n' % EXPECTED
-        result = resty.render() # don't raise, but don't work either
-        self.failIf(EXPECTED in result)
+        result = resty.render()
+        warnings = ''.join(resty._v_warnings.messages)
 
-    def test_raw_directive_file_directive_raises(self):
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(EXPECTED not in result)
+        self.assert_(cgi.escape(EXPECTED) in result)
+        self.assert_(docutils_raw_warning in warnings)
 
+    def test_raw_directive_file_directive_raises(self):
         resty = self._makeOne()
         resty.source = '.. raw:: html\n  :file: inclusion.txt'
-        self.assertRaises(NotImplementedError, resty.render)
+        result = resty.render()
+        warnings = ''.join(resty._v_warnings.messages)
 
-    def test_raw_directive_url_directive_raises(self):
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(docutils_raw_warning in warnings)
 
+    def test_raw_directive_url_directive_raises(self):
         resty = self._makeOne()
         resty.source = '.. raw:: html\n  :url: http://www.zope.org/'
-        self.assertRaises(NotImplementedError, resty.render)
+        result = resty.render()
+        warnings = ''.join(resty._v_warnings.messages)
 
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(docutils_raw_warning in warnings)
 
     def test_csv_table_file_option_raise(self):
-
         resty = self._makeOne()
         csv_file = self._csvfile()
         resty.source = '.. csv-table:: \n  :file: %s' % csv_file

lib/python/reStructuredText/__init__.py

@@ -28,6 +28,15 @@ Please remove docutils from %(path)s and replace it with a new version. You
 can download docutils at http://docutils.sourceforge.net/#download.
 """ % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
 
+# Disable inclusion of files for security reasons.  We do this by
+# changing the default value of the ``file_insertion_enabled``
+# parameter to False.
+import docutils.parsers.rst
+for title, options, conf in docutils.parsers.rst.Parser.settings_spec[2]:
+    if options == ['--file-insertion-enabled']:
+        conf['default'] = 0
+        break
+
 import sys, os, locale
 from App.config import getConfiguration
 from docutils.core import publish_parts

lib/python/reStructuredText/tests/testReST.py

 # -*- coding: iso-8859-15 -*-
 
 import unittest
-
-from reStructuredText import HTML
+import cgi
+from docutils.core import publish_parts
+from reStructuredText import HTML, Warnings
 
 
 txt = """Hello World
@@ -20,6 +21,15 @@ Von V
 """
 
 
+docutils_include_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 2)</p>
+<p>&quot;include&quot; directive disabled.</p>'''
+
+docutils_raw_warning = '''\
+<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
+<p>&quot;raw&quot; directive disabled.</p>'''
+
+
 class TestReST(unittest.TestCase):
 
     def testRoman(self):
@@ -81,42 +91,67 @@ text
         output = HTML(input)
         self.assertEquals(output, expected) 
 
+    def test_file_insertion_off_by_default(self):
+        directive = '.. include:: /etc/passwd'
+        source = 'hello world\n %s' % directive
+        parts = publish_parts(source=source, writer_name='html4css1',
+                              settings_overrides={'warning_stream': Warnings()})
+
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(directive in parts['body'])
+        self.assert_(docutils_include_warning in parts['body'])
 
     def test_include_directive_raises(self):
-        source = 'hello world\n .. include:: /etc/passwd'
-        self.assertRaises(NotImplementedError, HTML, source)
+        directive = '.. include:: /etc/passwd'
+        source = 'hello world\n %s' % directive
+        result = HTML(source)
 
-    def test_raw_directive_disabled(self):
+        # The include: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(directive in result)
+        self.assert_(docutils_include_warning in result)
 
+    def test_raw_directive_disabled(self):
         EXPECTED = '<h1>HELLO WORLD</h1>'
-
         source = '.. raw:: html\n\n  %s\n' % EXPECTED
         result = HTML(source)       # don't raise, but don't work either
-        self.failIf(EXPECTED in result)
 
-        self.failUnless("&quot;raw&quot; directive disabled" in result)
-        from cgi import escape
-        self.failUnless(escape(EXPECTED) in result)
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(EXPECTED not in result)
+        self.assert_(cgi.escape(EXPECTED) in result)
+        self.assert_(docutils_raw_warning in result)
 
     def test_raw_directive_file_option_raises(self):
-
         source = '.. raw:: html\n  :file: inclusion.txt'
-        self.assertRaises(NotImplementedError, HTML, source)
+        result = HTML(source)
 
-    def test_raw_directive_url_option_raises(self):
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
 
+    def test_raw_directive_url_option_raises(self):
         source = '.. raw:: html\n  :url: http://www.zope.org'
-        self.assertRaises(NotImplementedError, HTML, source)
+        result = HTML(source)
 
+        # The raw: directive hasn't been rendered, it remains
+        # verbatimly in the rendered output.  Instead a warning
+        # message is presented:
+        self.assert_(source in result)
+        self.assert_(docutils_raw_warning in result)
 
     def test_csv_table_file_option_raise(self):
-
         source = '.. csv-table:: \n  :file: inclusion.txt'
         result = HTML(source)
         self.failUnless('File and URL access deactivated' in result)
 
     def test_csv_table_url_option_raise(self):
-
         source = '.. csv-table:: \n  :url: http://www.evil.org'
         result = HTML(source)
         self.failUnless('File and URL access deactivated' in result)