[Zope-Checkins] SVN: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/ docutil's security restrictions are now applied using a monkey patch; this way the upstream version of docutils can be used (i.e. an egg)

Andreas Zeidler az at zitc.de
Mon Jun 4 19:26:54 EDT 2007


Log message for revision 76343:
  docutil's security restrictions are now applied using a monkey patch;  this way the upstream version of docutils can be used (i.e. an egg)
  

Changed:
  _U  Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/
  A   Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/
  A   Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py
  U   Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py

-=-

Property changes on: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python
___________________________________________________________________
Name: svn:externals
   - ZConfig        svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1
BTrees         -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/BTrees
persistent     -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/persistent
ThreadedAsync  -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ThreadedAsync
transaction    -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/transaction
ZEO            -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZEO
ZODB           -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZODB
ZopeUndo       -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZopeUndo
zdaemon        -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon
pytz           -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/pytz
zodbcode       -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/zodbcode
mechanize      -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/mechanize
docutils       svn://svn.zope.org/repos/main/docutils/tags/0.4.0-zope
ClientForm     svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm
RestrictedPython   svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.0/src/RestrictedPython

   + ZConfig        svn://svn.zope.org/repos/main/ZConfig/tags/ZConfig-2.3.1
BTrees         -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/BTrees
persistent     -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/persistent
ThreadedAsync  -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ThreadedAsync
transaction    -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/transaction
ZEO            -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZEO
ZODB           -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZODB
ZopeUndo       -r 68677 svn://svn.zope.org/repos/main/ZODB/branches/3.7/src/ZopeUndo
zdaemon        -r 40792 svn://svn.zope.org/repos/main/zdaemon/trunk/src/zdaemon
pytz           -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/pytz
zodbcode       -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/zodbcode
mechanize      -r 69031 svn://svn.zope.org/repos/main/Zope3/branches/3.3/src/mechanize
docutils       svn://svn.zope.org/repos/main/docutils/tags/0.4.0
ClientForm     svn://svn.zope.org/repos/main/Zope3/trunk/src/ClientForm
RestrictedPython   svn://svn.zope.org/repos/main/RestrictedPython/tags/3.4.0/src/RestrictedPython


Added: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py
===================================================================
--- Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py	                        (rev 0)
+++ Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/docutilsSecurityPatches/__init__.py	2007-06-04 23:26:53 UTC (rev 76343)
@@ -0,0 +1,53 @@
+##############################################################################
+#
+# Copyright (c) 2002 Zope Corporation and Contributors. All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##############################################################################
+""" security patches for docutils """
+
+try:
+    import docutils
+except ImportError:
+    raise ImportError, 'Please install docutils 0.4.0+ from http://docutils.sourceforge.net/#download.'
+
+version = docutils.__version__.split('.')
+if not (version >= ['0', '4', '0'] or  version >= ['0', '4']):
+    raise ImportError, """Old version of docutils found:
+Got: %(version)s, required: 0.4.0+
+Please remove docutils from %(path)s and replace it with a new version. You
+can download docutils at http://docutils.sourceforge.net/#download.
+""" % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
+
+
+# disable inclusion of files for security reasons
+# this way we don't need a custom version of docutils anymore
+import docutils.parsers.rst.directives.misc
+
+# additional import needed here since raw's func_code was swapped below...
+from docutils import nodes
+
+def include(*args, **kw):
+    """ disabled for security reasons """
+    raise NotImplementedError, 'File inclusion not allowed!'
+docutils.parsers.rst.directives.misc.include.func_code = include.func_code
+
+def raw_orig(*args, **kw):
+    """ place holder for original copy of function """
+    pass
+raw_orig.func_code = docutils.parsers.rst.directives.misc.raw.func_code
+docutils.parsers.rst.directives.misc.raw_orig = raw_orig
+
+def raw(name, arguments, options, *args, **kw):
+    """ disabled specific options for security reasons """
+    if options.has_key('file') or options.has_key('url'):
+        raise NotImplementedError, 'File inclusion not allowed!'
+    return raw_orig(name, arguments, options, *args, **kw)
+docutils.parsers.rst.directives.misc.raw.func_code = raw.func_code
+

Modified: Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py
===================================================================
--- Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py	2007-06-04 23:16:26 UTC (rev 76342)
+++ Zope/branches/witsch-zope2.11-with-standard-docutils/lib/python/reStructuredText/__init__.py	2007-06-04 23:26:53 UTC (rev 76343)
@@ -28,6 +28,9 @@
 can download docutils at http://docutils.sourceforge.net/#download.
 """ % {'version' : docutils.__version__, 'path' : docutils.__path__[0] }
 
+# monkey patch docutils for security reasons
+import docutilsSecurityPatches
+
 import sys, os, locale
 from App.config import getConfiguration
 from docutils.core import publish_parts



More information about the Zope-Checkins mailing list