Mercurial > p > roundup > code
diff roundup/cgi/templating.py @ 6098:72a281a55a17
Disable rst raw and include directives.
reStructuredText has some directives that can include files or pass
raw html to the output.
Create new property so user can enable raw or include directives if
desired. See: https://docutils.sourceforge.io/docs/howto/security.html
for details.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 20 Feb 2020 21:38:32 -0500 |
| parents | 90a1470edbea |
| children | 55c56ceacb8e |
line wrap: on
line diff
--- a/roundup/cgi/templating.py Thu Feb 20 19:30:26 2020 +0000 +++ b/roundup/cgi/templating.py Thu Feb 20 21:38:32 2020 -0500 @@ -1455,7 +1455,10 @@ )''', re.X | re.I) protocol_re = re.compile('^(ht|f)tp(s?)://', re.I) - + # disable rst directives that have security implications + rst_defaults = {'file_insertion_enabled': 0, + 'raw_enabled': 0, + '_disable_config': 1} def _hyper_repl(self, match): if match.group('url'): @@ -1619,7 +1622,8 @@ s = self.plain(escape=0, hyperlink=0) if hyperlink: s = self.hyper_re.sub(self._hyper_repl_rst, s) - return u2s(ReStructuredText(s, writer_name="html")["html_body"]) + return u2s(ReStructuredText(s, writer_name="html", + settings_overrides=self.rst_defaults)["html_body"]) def markdown(self, hyperlink=1): """ Render the value of the property as markdown.