Merged philikon-zope2.11-with-standard-docutils:

      - Ship Zope with a standard docutils 0.4 distribution, instead
        of a patched one.  Both trusted and untrusted code are still
        protected against unwanted file inclusion.
parent a50fab40
...@@ -9,6 +9,10 @@ Zope Changes ...@@ -9,6 +9,10 @@ Zope Changes
Restructuring Restructuring
- Ship Zope with a standard docutils 0.4 distribution, instead
of a patched one. Both trusted and untrusted code are still
protected against unwanted file inclusion.
- Removed ZGadflyDA (was deprecated since Zope 2.9). The code is - Removed ZGadflyDA (was deprecated since Zope 2.9). The code is
still available from svn.zope.org/Products.ZGadflyDA. still available from svn.zope.org/Products.ZGadflyDA.
......
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
__rcs_id__='$Id$' __rcs_id__='$Id$'
__version__='$Revision: 1.15 $'[11:-2] __version__='$Revision: 1.15 $'[11:-2]
import sys, os import sys, os, cgi
import unittest import unittest
if __name__=='__main__': if __name__=='__main__':
...@@ -43,6 +43,14 @@ class D: ...@@ -43,6 +43,14 @@ class D:
def d(**kw): return kw def d(**kw): return kw
docutils_include_warning = '''\
<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
<p>&quot;include&quot; directive disabled.</p>'''
docutils_raw_warning = '''\
<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
<p>&quot;raw&quot; directive disabled.</p>'''
class PukeError(Exception): class PukeError(Exception):
"""Exception raised in test code.""" """Exception raised in test code."""
...@@ -340,38 +348,51 @@ foo bar ...@@ -340,38 +348,51 @@ foo bar
source = '.. include:: /etc/passwd' source = '.. include:: /etc/passwd'
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">') html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source html._vars['foo'] = source
self.assertRaises(NotImplementedError, html) result = html()
def test_fmt_reST_raw_directive_disabled(self): # The include: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(source in result)
self.assert_(docutils_include_warning in result)
def test_fmt_reST_raw_directive_disabled(self):
EXPECTED = '<h1>HELLO WORLD</h1>' EXPECTED = '<h1>HELLO WORLD</h1>'
source = '.. raw:: html\n\n %s\n' % EXPECTED source = '.. raw:: html\n\n %s\n' % EXPECTED
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">') html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source html._vars['foo'] = source
result = html()
result = html() # don't raise, but don't work either # The raw: directive hasn't been rendered, it remains
self.failIf(EXPECTED in result) # verbatimly in the rendered output. Instead a warning
# message is presented:
self.failUnless("&quot;raw&quot; directive disabled" in result) self.assert_(EXPECTED not in result)
from cgi import escape self.assert_(cgi.escape(EXPECTED) in result)
self.failUnless(escape(EXPECTED) in result) self.assert_(docutils_raw_warning in result)
def test_fmt_reST_raw_directive_file_option_raises(self): def test_fmt_reST_raw_directive_file_option_raises(self):
source = '.. raw:: html\n :file: inclusion.txt' source = '.. raw:: html\n :file: inclusion.txt'
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">') html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source html._vars['foo'] = source
result = html()
self.assertRaises(NotImplementedError, html, source) # The raw: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(source in result)
self.assert_(docutils_raw_warning in result)
def test_fmt_reST_raw_directive_url_option_raises(self): def test_fmt_reST_raw_directive_url_option_raises(self):
source = '.. raw:: html\n :url: http://www.zope.org' source = '.. raw:: html\n :url: http://www.zope.org'
html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">') html = self.doc_class('<dtml-var name="foo" fmt="restructured-text">')
html._vars['foo'] = source html._vars['foo'] = source
result = html()
self.assertRaises(NotImplementedError, html, source) # The raw: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(source in result)
self.assert_(docutils_raw_warning in result)
def testPropogatedError(self): def testPropogatedError(self):
......
...@@ -193,16 +193,16 @@ class ZReST(Item, PropertyManager, Historical, Implicit, Persistent): ...@@ -193,16 +193,16 @@ class ZReST(Item, PropertyManager, Historical, Implicit, Persistent):
''' Render the source to HTML ''' Render the source to HTML
''' '''
if self._v_formatted is None: if self._v_formatted is None:
warnings = self._v_warnings = Warnings()
settings = { settings = {
'halt_level': 6, 'halt_level': 6,
'report_level' : self.report_level, 'report_level' : int(self.report_level),
'input_encoding': self.input_encoding, 'input_encoding': self.input_encoding,
'output_encoding': self.output_encoding, 'output_encoding': self.output_encoding,
'initial_header_level' : 1, 'initial_header_level' : 1,
'stylesheet' : self.stylesheet, 'stylesheet' : self.stylesheet,
'stylesheet_path' : None, 'stylesheet_path' : None,
'pub.settings.warning_stream' : Warnings(), 'warning_stream' : warnings,
'raw_enabled' : 0, 'raw_enabled' : 0,
'file_insertion_enabled' : 0, 'file_insertion_enabled' : 0,
} }
......
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
$Id$ $Id$
""" """
import unittest import unittest
import cgi
import tempfile import tempfile
txt = """Hello World txt = """Hello World
...@@ -26,6 +27,9 @@ csv_text = """bin:x:1:1:bin:/bin:/bin/bash ...@@ -26,6 +27,9 @@ csv_text = """bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash
""" """
docutils_include_warning = '(WARNING/2) "include" directive disabled.'
docutils_raw_warning = '(WARNING/2) "raw" directive disabled.'
class TestZReST(unittest.TestCase): class TestZReST(unittest.TestCase):
def _getTargetClass(self): def _getTargetClass(self):
...@@ -78,32 +82,51 @@ class TestZReST(unittest.TestCase): ...@@ -78,32 +82,51 @@ class TestZReST(unittest.TestCase):
def test_include_directive_raises(self): def test_include_directive_raises(self):
resty = self._makeOne() resty = self._makeOne()
resty.source = 'hello world\n .. include:: /etc/passwd' resty.source = 'hello world\n .. include:: /etc/passwd'
self.assertRaises(NotImplementedError, resty.render) result = resty.render()
warnings = ''.join(resty._v_warnings.messages)
def test_raw_directive_disabled(self):
EXPECTED = '<h1>HELLO WORLD</h1>' # The include: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(docutils_include_warning in warnings)
def test_raw_directive_disabled(self):
resty = self._makeOne() resty = self._makeOne()
EXPECTED = '<h1>HELLO WORLD</h1>'
resty.source = '.. raw:: html\n\n %s\n' % EXPECTED resty.source = '.. raw:: html\n\n %s\n' % EXPECTED
result = resty.render() # don't raise, but don't work either result = resty.render()
self.failIf(EXPECTED in result) warnings = ''.join(resty._v_warnings.messages)
def test_raw_directive_file_directive_raises(self): # The raw: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(EXPECTED not in result)
self.assert_(cgi.escape(EXPECTED) in result)
self.assert_(docutils_raw_warning in warnings)
def test_raw_directive_file_directive_raises(self):
resty = self._makeOne() resty = self._makeOne()
resty.source = '.. raw:: html\n :file: inclusion.txt' resty.source = '.. raw:: html\n :file: inclusion.txt'
self.assertRaises(NotImplementedError, resty.render) result = resty.render()
warnings = ''.join(resty._v_warnings.messages)
def test_raw_directive_url_directive_raises(self): # The raw: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(docutils_raw_warning in warnings)
def test_raw_directive_url_directive_raises(self):
resty = self._makeOne() resty = self._makeOne()
resty.source = '.. raw:: html\n :url: http://www.zope.org/' resty.source = '.. raw:: html\n :url: http://www.zope.org/'
self.assertRaises(NotImplementedError, resty.render) result = resty.render()
warnings = ''.join(resty._v_warnings.messages)
# The raw: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(docutils_raw_warning in warnings)
def test_csv_table_file_option_raise(self): def test_csv_table_file_option_raise(self):
resty = self._makeOne() resty = self._makeOne()
csv_file = self._csvfile() csv_file = self._csvfile()
resty.source = '.. csv-table:: \n :file: %s' % csv_file resty.source = '.. csv-table:: \n :file: %s' % csv_file
......
...@@ -28,6 +28,15 @@ Please remove docutils from %(path)s and replace it with a new version. You ...@@ -28,6 +28,15 @@ Please remove docutils from %(path)s and replace it with a new version. You
can download docutils at http://docutils.sourceforge.net/#download. can download docutils at http://docutils.sourceforge.net/#download.
""" % {'version' : docutils.__version__, 'path' : docutils.__path__[0] } """ % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
# Disable inclusion of files for security reasons. We do this by
# changing the default value of the ``file_insertion_enabled``
# parameter to False.
import docutils.parsers.rst
for title, options, conf in docutils.parsers.rst.Parser.settings_spec[2]:
if options == ['--file-insertion-enabled']:
conf['default'] = 0
break
import sys, os, locale import sys, os, locale
from App.config import getConfiguration from App.config import getConfiguration
from docutils.core import publish_parts from docutils.core import publish_parts
......
# -*- coding: iso-8859-15 -*- # -*- coding: iso-8859-15 -*-
import unittest import unittest
import cgi
from reStructuredText import HTML from docutils.core import publish_parts
from reStructuredText import HTML, Warnings
txt = """Hello World txt = """Hello World
...@@ -20,6 +21,15 @@ Von V ...@@ -20,6 +21,15 @@ Von V
""" """
docutils_include_warning = '''\
<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 2)</p>
<p>&quot;include&quot; directive disabled.</p>'''
docutils_raw_warning = '''\
<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">&lt;string&gt;</tt>, line 1)</p>
<p>&quot;raw&quot; directive disabled.</p>'''
class TestReST(unittest.TestCase): class TestReST(unittest.TestCase):
def testRoman(self): def testRoman(self):
...@@ -81,42 +91,67 @@ text ...@@ -81,42 +91,67 @@ text
output = HTML(input) output = HTML(input)
self.assertEquals(output, expected) self.assertEquals(output, expected)
def test_file_insertion_off_by_default(self):
directive = '.. include:: /etc/passwd'
source = 'hello world\n %s' % directive
parts = publish_parts(source=source, writer_name='html4css1',
settings_overrides={'warning_stream': Warnings()})
# The include: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(directive in parts['body'])
self.assert_(docutils_include_warning in parts['body'])
def test_include_directive_raises(self): def test_include_directive_raises(self):
source = 'hello world\n .. include:: /etc/passwd' directive = '.. include:: /etc/passwd'
self.assertRaises(NotImplementedError, HTML, source) source = 'hello world\n %s' % directive
result = HTML(source)
def test_raw_directive_disabled(self): # The include: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(directive in result)
self.assert_(docutils_include_warning in result)
def test_raw_directive_disabled(self):
EXPECTED = '<h1>HELLO WORLD</h1>' EXPECTED = '<h1>HELLO WORLD</h1>'
source = '.. raw:: html\n\n %s\n' % EXPECTED source = '.. raw:: html\n\n %s\n' % EXPECTED
result = HTML(source) # don't raise, but don't work either result = HTML(source) # don't raise, but don't work either
self.failIf(EXPECTED in result)
self.failUnless("&quot;raw&quot; directive disabled" in result) # The raw: directive hasn't been rendered, it remains
from cgi import escape # verbatimly in the rendered output. Instead a warning
self.failUnless(escape(EXPECTED) in result) # message is presented:
self.assert_(EXPECTED not in result)
self.assert_(cgi.escape(EXPECTED) in result)
self.assert_(docutils_raw_warning in result)
def test_raw_directive_file_option_raises(self): def test_raw_directive_file_option_raises(self):
source = '.. raw:: html\n :file: inclusion.txt' source = '.. raw:: html\n :file: inclusion.txt'
self.assertRaises(NotImplementedError, HTML, source) result = HTML(source)
def test_raw_directive_url_option_raises(self): # The raw: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(source in result)
self.assert_(docutils_raw_warning in result)
def test_raw_directive_url_option_raises(self):
source = '.. raw:: html\n :url: http://www.zope.org' source = '.. raw:: html\n :url: http://www.zope.org'
self.assertRaises(NotImplementedError, HTML, source) result = HTML(source)
# The raw: directive hasn't been rendered, it remains
# verbatimly in the rendered output. Instead a warning
# message is presented:
self.assert_(source in result)
self.assert_(docutils_raw_warning in result)
def test_csv_table_file_option_raise(self): def test_csv_table_file_option_raise(self):
source = '.. csv-table:: \n :file: inclusion.txt' source = '.. csv-table:: \n :file: inclusion.txt'
result = HTML(source) result = HTML(source)
self.failUnless('File and URL access deactivated' in result) self.failUnless('File and URL access deactivated' in result)
def test_csv_table_url_option_raise(self): def test_csv_table_url_option_raise(self):
source = '.. csv-table:: \n :url: http://www.evil.org' source = '.. csv-table:: \n :url: http://www.evil.org'
result = HTML(source) result = HTML(source)
self.failUnless('File and URL access deactivated' in result) self.failUnless('File and URL access deactivated' in result)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment