Hey guys, So we (Mostly Mike :-) gave the wiki the ability to parse restructured text yesterday which gives the Docs people another tool for working with wiki content. However, the restructured text parser was originally designed for command line tools to statically convert rst into other formats (html, docbook, etc.) Using it in a dynamic environment like a wiki has some security issues that have to be addressed. The docutils authors have listed the issues they're aware of with configuration options to disable the features. We've placed a config file on the app servers that do this. Unfortunately, Moin has reimplemented one of the features (include) in a safer manner. But their implementation doesn't process ACLs so any user can look at pages they lack the ACL for by using an include. Attached is a small patch that disables include entirely. I've submitted a bug with upstream moin to add ACL support to this function as a longer term fix. -Toshio
--- MoinMoin/parser/rst.py.bak 2007-02-24 08:56:22.000000000 -0700
+++ MoinMoin/parser/rst.py 2007-02-24 08:55:43.000000000 -0700
@@ -524,7 +524,8 @@
self.request = request
# include MoinMoin pages
- directives.register_directive('include', self.include)
+ # The MoinMoin include has to account for ACLs before this is safe
+ directives.register_directive('include', None)
# used for MoinMoin macros
directives.register_directive('macro', self.macro)
Attachment:
signature.asc
Description: This is a digitally signed message part
