[Zope-Annce] Security alert: use of Through-the-Web reStructuredText

Jim Fulton jim at zope.com
Sat Jul 8 08:43:23 EDT 2006

Recently, a serious security flaw was found in Zope 2 due to it's  
improper support for allowing reStructuredText to be edited through- 
the-web.  reStructuredText has directives that allow inclusion of any  
file a Zope process could read and inclusion of data obtained from  
fetching arbitrary URLs.  In a trusted environment, these directives  
have legitimate uses.  The feature of including files and URL results  
should not be enabled for text entered from untrusted sources, which  
applies to most through-the-web interactions.

The recent hotfix:


addresses the problem for Zope 2.

It is safe to allow reStructuredText through the web with care.  The  
inclusion of files or URL results can be disabled, but the programmer  
must explicitly disable the feature.  It is not disabled by default.   
It is also critical that a developer who exposes through-the-web  
reStructuredText have tests to verify that the file/url inclusion  
feature has been disabled.

Zope 3 itself, as released, doesn't have this problem because it  
doesn't allow reST entry through the web.  There are third-party  
applications, however, including 2 packages in the Zope 3 subversion  
tree that do have this problem.  I strongly urge you to avoid using  
any Zope package that allows through-the-web input of  
reStructuredText unless you can verify that file/url has been  
properly disabled.

The zwiki and bugtracker packages do not currently disable file/url  
inclusion and should not be used in situations in which users who are  
not highly trusted have access to these applications.  If you are  
using a Zope 3 checkout, these packages are currently included and  
enabled.  I plan to remove these packages from the Zope 3 repository  
tree within the next few hours.  If you are using a checkout-based  
Zope 3 installation that exposes these packages to untrusted users,  
you are strongly urged to disable these packages by removing the  
following files from your package-includes directory:


Removing these files will also avoid problems when you update your  
checkout later, as these will refer to non-existent packages.


Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Zope-Announce mailing list