From: Berend v. B. <be...@do...> - 2010-04-12 22:18:52
|
On Mon, Apr 12, 2010 at 10:39:40PM +0200, engelbert gruber wrote: > security. > > php allows to use urls in include and open, this is awfully dangerous. > > if i need this i prefer having to load the files direct and store locally > 1. docutil stays safer > 2. more control on results if the host fails > > -2 ofcourse. i had a similar everything is/should be a file epiphany while looking at the include code, with does not at all support URLs as I said. I think raw does, but that doesn't matter since I'm not comfortable with the inclusion directive in **a non-standalone setting** anywayi (ie. a site). (inclusion references (sic) get lost beyond the parsing). I think perhaps a new node, but brings memories of <embed />, may be hard to standardize. Btw, include could be wrapped by a new RemoteInclude, which then works from a wget -r like tree. Safe content could be mirrored there by an admin. Just a thought on the approach i might instead take instead.. -- Berend > On 4/11/10, Berend van Berkum <be...@do...> wrote: > > > > Hi all, > > > > > > the current io package and inclusion based directives work directly on the > > filesystem. Inclusion may explicitly address URLs, but source or destination > > should be local. However I would like to be able to let a web-service > > publish > > a file from a remote host. > > > > This would mean the source handling in core and frontend should be replaced > > by > > some kind of Content Resolver instances. The resolver component for the > > source > > would need to be shared in the doctree as well, so that include directives > > have access to them. > > > > I am not sure what this means for any references. I guess some host could > > required some specific Reader (w/ xforms and ref. resolvers), but i think > > that > > is better better left to the specific publisher deployment. > > > > Having a similar resolver for the destination is tempting as well, but don't > > think it needs to go there as it seems to have little to do with the > > publication component chain. Ie. it is the source, reader, parser and writer > > component configuration that may generate a representation suitable to some > > host(s). > > > > For now I'm thinking about an local resolver (local paths) and a urllib > > based one > > (with some allowed hosts policy). > > > > What do you think? > > > > > > -- Berend > > > > > > -- > > :e: be...@do... > > :t: +31(0)6 - 19160770 > > :w: - http://services.dotmpe.com/ > > - http://www.linkedin.com/pub/13/261/286 > > > > > > ------------------------------------------------------------------------------ > > Download Intel® Parallel Studio Eval > > Try the new software tools for yourself. Speed compiling, find bugs > > proactively, and fine-tune applications for parallel performance. > > See why Intel Parallel Studio got high marks during beta. > > http://p.sf.net/sfu/intel-sw-dev > > _______________________________________________ > > Docutils-develop mailing list > > Doc...@li... > > https://lists.sourceforge.net/lists/listinfo/docutils-develop > > > > Please use "Reply All" to reply to the list. > > -- :e: be...@do... :t: +31(0)6 - 19160770 :w: - http://services.dotmpe.com/ - http://www.linkedin.com/pub/13/261/286 |