From: Felix W. <Fel...@gm...> - 2004-12-25 22:23:37
|
Beni Cherniavsky wrote: > David Goodger wrote: >> >> Beni Cherniavsky wrote: >> >>> Plugins should be selected by the user, not the document (for >>> security reasons). It's best if they can be installed just by >>> placing files somewhere; +1. >> +1. The location could be a runtime setting (set by config file or >> command line option) with a reasonable default (what should that >> be?). An environment variable too (DOCUTILS_PLUGINS_PATH)? Not sure if we need an environment variable. It's always possible to set a plugin path in ~/.docutils. > I'm not sure that getting the location from a config file is wise from > a security point of view. AFAIK there are currently no options > settable from the config file that could cause anything more severe > than reading a file and including it in the document (e.g. inlined > stylesheets). You can include arbitrary files from a reST document, which is bad when using reST in a wiki. And you can ask Docutils to download a current set of Debian ISO images by using the raw directive's :url: option, which is bad when you have a fast internet connection and pay for traffic. > So processing foreign files with foreign config files is pretty safe. Not really. > An extension path config setting would allow a config file to execute > any Python file. ... on the local system. And this possible threat could be mentioned in the announcement mail of the release introducing plugins. What you have to do to protect yourself is just glancing over the config file before running Docutils. Furthermore, it might possible to create a one-way option like --disable-plugins, which cannot be overridden and completely disables importing of plugins. > An environment variable would be OK. But it's not as easy. -- When replying to my email address, please ensure that the mail header contains 'Felix Wiemann'. http://www.ososo.de/ |