From: Aahz <aa...@py...> - 2006-10-31 14:46:37
|
Hrm. Maybe we should change the reST defaults? ----- Forwarded message from Michael Hudson <mw...@py...> ----- > To: pyc...@py... > From: Michael Hudson <mw...@py...> > Date: Tue, 31 Oct 2006 09:45:53 +0100 > Subject: [PyCON-Organizers] reST security > > Ever since Felix Wiemann's lightning talk on docutils security at > EuroPython last year, I've been typing ".. include:: /etc/passwd" into > every web form that promises to process my input as reST: > > http://python.net/crew/mwh/rest-pycon-oops.png > > You probably want to turn this off :) > > Also worth turning off is the use of the ".. raw::" directive, which > can be used to do all sorts of exciting cross-site scripting type > things. More here: > > http://docutils.sourceforge.net/docs/user/config.html > > Cheers, > mwh > > -- > Arrrrgh, the braindamage! It's not unlike the massively > non-brilliant decision to use the period in abbreviations > as well as a sentence terminator. Had these people no > imagination at _all_? -- Erik Naggum, comp.lang.lisp > _______________________________________________ > Pycon-organizers mailing list > Pyc...@py... > http://mail.python.org/mailman/listinfo/pycon-organizers ----- End forwarded message ----- -- Aahz (aa...@py...) <*> http://www.pythoncraft.com/ "If you don't know what your program is supposed to do, you'd better not start writing it." --Dijkstra |
From: David G. <go...@py...> - 2006-10-31 17:17:17
|
On 10/31/06, Aahz <aa...@py...> wrote: > Hrm. Maybe we should change the reST defaults? That might be possible for Docutils 0.5 (under development), but not for bugfix releases (0.4.1 etc., if we ever release them). The change in behavior would cause a lot of pain. A behavior change would cause pain for upgraders & new users as well, so I'm reluctant to change the defaults even in 0.5. I do think we need a prominent security notice and perhaps a document discussing security in various contexts (local tool install vs. through-the-web service). -- David Goodger <http://python.net/~goodger> |
From: Aahz <aa...@py...> - 2006-10-31 18:25:22
|
On Tue, Oct 31, 2006, David Goodger wrote: > On 10/31/06, Aahz <aa...@py...> wrote: >> >>Hrm. Maybe we should change the reST defaults? > > That might be possible for Docutils 0.5 (under development), but not > for bugfix releases (0.4.1 etc., if we ever release them). The change > in behavior would cause a lot of pain. A behavior change would cause > pain for upgraders & new users as well, so I'm reluctant to change the > defaults even in 0.5. > > I do think we need a prominent security notice and perhaps a document > discussing security in various contexts (local tool install vs. > through-the-web service). Certainly! And possibly even a way of installing "secure" versus "standard". Dunno, just wanted to raise the issue for discussion (and recording in the archives). -- Aahz (aa...@py...) <*> http://www.pythoncraft.com/ "If you don't know what your program is supposed to do, you'd better not start writing it." --Dijkstra |