Re: [Docutils-develop] Host to host publishing

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Mon, Apr 12, 2010 at 10:39:40PM +0200, engelbert gruber wrote:
> security.
> 
> php allows to use urls in include and open, this is awfully dangerous.
> 
> if i need this i prefer having to load the files direct and store locally
> 1. docutil stays safer
> 2. more control on results if the host fails
> 
> -2

ofcourse. i had a similar everything is/should be a file epiphany while looking
at the include code, with does not at all support URLs as I said. 

I think raw does, but that doesn't matter since I'm not comfortable with the 
inclusion directive in **a non-standalone setting** anywayi (ie. a site).
(inclusion references (sic) get lost beyond the parsing). I think perhaps a 
new node, but brings memories of <embed />, may be hard to standardize.

Btw, include could be wrapped by a new RemoteInclude, which then works from a 
wget -r like tree. Safe content could be mirrored there by an admin. 
Just a thought on the approach i might instead take instead..

-- Berend

> On 4/11/10, Berend van Berkum <be...@do...> wrote:
> >
> > Hi all,
> >
> >
> > the current io package and inclusion based directives work directly on the
> > filesystem. Inclusion may explicitly address URLs, but source or destination
> > should be local. However I would like to be able to let a web-service
> > publish
> > a file from a remote host.
> >
> > This would mean the source handling in core and frontend should be replaced
> > by
> > some kind of Content Resolver instances. The resolver component for the
> > source
> > would need to be shared in the doctree as well, so that include directives
> > have access to them.
> >
> > I am not sure what this means for any references. I guess some host could
> > required some specific Reader (w/ xforms and ref. resolvers), but i think
> > that
> > is better better left to the specific publisher deployment.
> >
> > Having a similar resolver for the destination is tempting as well, but don't
> > think it needs to go there as it seems to have little to do with the
> > publication component chain. Ie. it is the source, reader, parser and writer
> > component configuration that may generate a representation suitable to some
> > host(s).
> >
> > For now I'm thinking about an local resolver (local paths) and a urllib
> > based one
> > (with some allowed hosts policy).
> >
> > What do you think?
> >
> >
> > -- Berend
> >
> >
> > --
> >  :e: be...@do...
> >  :t: +31(0)6 - 19160770
> >  :w: - http://services.dotmpe.com/
> >      - http://www.linkedin.com/pub/13/261/286
> >
> >
> > ------------------------------------------------------------------------------
> > Download Intel&#174; Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Docutils-develop mailing list
> > Doc...@li...
> > https://lists.sourceforge.net/lists/listinfo/docutils-develop
> >
> > Please use "Reply All" to reply to the list.
> >

-- 
 :e: be...@do...
 :t: +31(0)6 - 19160770
 :w: - http://services.dotmpe.com/
     - http://www.linkedin.com/pub/13/261/286