Mercurial Repository: p/roundup/code: roundup/cgi/templating.py comparison

comparison roundup/cgi/templating.py @ 6098:72a281a55a17

Disable rst raw and include directives. reStructuredText has some directives that can include files or pass raw html to the output. Create new property so user can enable raw or include directives if desired. See: https://docutils.sourceforge.io/docs/howto/security.html for details.

author	John Rouillard <rouilj@ieee.org>
date	Thu, 20 Feb 2020 21:38:32 -0500
parents	90a1470edbea
children	55c56ceacb8e

comparison

equal deleted inserted replaced

-:90a1470edbea
+:72a281a55a17
 (?P<email>[-+=%/\w\.]+@[\w\.\-]+)|
 (?P<item>(?P<class>[A-Za-z_]+)(\s*)(?P<id>\d+))
 )''', re.X | re.I)
 protocol_re = re.compile('^(ht|f)tp(s?)://', re.I)
+# disable rst directives that have security implications
+rst_defaults = {'file_insertion_enabled': 0,
+'raw_enabled': 0,
+'_disable_config': 1}
 def _hyper_repl(self, match):
 if match.group('url'):
 return self._hyper_repl_url(match, '<a href="%s" rel="nofollow noopener">%s</a>%s')
 elif match.group('email'):
 if not ReStructuredText:
 return self.plain(escape=0, hyperlink=hyperlink)
 s = self.plain(escape=0, hyperlink=0)
 if hyperlink:
 s = self.hyper_re.sub(self._hyper_repl_rst, s)
-return u2s(ReStructuredText(s, writer_name="html")["html_body"])
+return u2s(ReStructuredText(s, writer_name="html",
+settings_overrides=self.rst_defaults)["html_body"])
 def markdown(self, hyperlink=1):
 """ Render the value of the property as markdown.
 This requires markdown2 or markdown to be installed separately.

Mercurial > p > roundup > code

comparison roundup/cgi/templating.py @ 6098:72a281a55a17