diff options
| -rw-r--r-- | docutils/HISTORY.txt | 4 | ||||
| -rw-r--r-- | docutils/docs/ref/rst/directives.txt | 19 | ||||
| -rw-r--r-- | docutils/docutils/parsers/rst/directives/tables.py | 9 | ||||
| -rw-r--r-- | docutils/test/functional/expected/dangerous.html | 15 | ||||
| -rw-r--r-- | docutils/test/functional/input/dangerous.txt | 3 |
5 files changed, 41 insertions, 9 deletions
diff --git a/docutils/HISTORY.txt b/docutils/HISTORY.txt index 94bca94db..c40ad2243 100644 --- a/docutils/HISTORY.txt +++ b/docutils/HISTORY.txt @@ -59,12 +59,14 @@ Changes Since 0.3.7 errors. - Allowed whitespace in "include" & "raw" directive paths. - Added support for ``file_insertion_enabled`` & ``raw_enabled`` - settings in "include" & "raw" directives + settings in "include" & "raw" directives. * docutils/parsers/rst/directives/tables.py: - Added "list-table" directive. - Caught empty CSV table bug. + - Added support for the ``file_insertion_enabled`` setting in the + "csv-table" directive. * docutils/parsers/rst/languages/nl.py: Added to project; Dutch mappings by Martijn Pieters. diff --git a/docutils/docs/ref/rst/directives.txt b/docutils/docs/ref/rst/directives.txt index 752c82c51..1b0ff108d 100644 --- a/docutils/docs/ref/rst/directives.txt +++ b/docutils/docs/ref/rst/directives.txt @@ -668,7 +668,13 @@ CSV Table :Directive Options: Possible. :Directive Content: A CSV (comma-separated values) table. -.. Warning:: +.. WARNING:: + + The "csv-table" directive's ":file:" and ":url:" options represent + a potential security holes. They can be disabled with the + "file_insertion_enabled_" runtime setting. + +.. Note:: The "csv-table" directive requires the ``csv.py`` module of the Python standard library, which was added in Python 2.3. It will @@ -734,8 +740,11 @@ The following options are recognized: before any ``header-rows`` from the main CSV data. Must use the same CSV format as the main CSV data. -``file`` | ``url`` : path - Path or URL to CSV file. +``file`` : string (newlines removed) + The local filesystem path to a CSV data file. + +``url`` : string (whitespace removed) + An Internet URL reference to a CSV data file. ``encoding`` : name of text encoding The text encoding of the external CSV data (file or URL). @@ -1179,10 +1188,10 @@ example:: The following options are recognized: -``file`` : string +``file`` : string (newlines removed) The local filesystem path of a raw data file to be included. -``url`` : string +``url`` : string (whitespace removed) An Internet URL reference to a raw data file to be included. ``encoding`` : name of text encoding diff --git a/docutils/docutils/parsers/rst/directives/tables.py b/docutils/docutils/parsers/rst/directives/tables.py index 116a2759f..e47c9f9e4 100644 --- a/docutils/docutils/parsers/rst/directives/tables.py +++ b/docutils/docutils/parsers/rst/directives/tables.py @@ -115,6 +115,12 @@ if csv: def csv_table(name, arguments, options, content, lineno, content_offset, block_text, state, state_machine): try: + if ( not state.document.settings.file_insertion_enabled + and (options.has_key('file') or options.has_key('url')) ): + warning = state_machine.reporter.warning( + '"%s" directive disabled.' % name, + nodes.literal_block(block_text, block_text), line=lineno) + return [warning] check_requirements(name, lineno, block_text, state_machine) title, messages = make_title(arguments, state, lineno) csv_data, source = get_csv_data( @@ -205,7 +211,8 @@ def get_csv_data(name, options, content, lineno, block_text, state.document.settings.record_dependencies.add(source) csv_file = io.FileInput( source_path=source, encoding=encoding, - error_handler=state.document.settings.input_encoding_error_handler, + error_handler + =state.document.settings.input_encoding_error_handler, handle_io_errors=None) csv_data = csv_file.read().splitlines() except IOError, error: diff --git a/docutils/test/functional/expected/dangerous.html b/docutils/test/functional/expected/dangerous.html index 9f0b58a54..a95fb28af 100644 --- a/docutils/test/functional/expected/dangerous.html +++ b/docutils/test/functional/expected/dangerous.html @@ -42,7 +42,20 @@ <script> that does something really nasty </script> - +</pre> +</div> +<div class="system-message"> +<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">functional/input/dangerous.txt</tt>, line 13)</p> +<p>"csv-table" directive disabled.</p> +<pre class="literal-block"> +.. csv-table:: :file: /etc/passwd +</pre> +</div> +<div class="system-message"> +<p class="system-message-title">System Message: WARNING/2 (<tt class="docutils">functional/input/dangerous.txt</tt>, line 14)</p> +<p>"csv-table" directive disabled.</p> +<pre class="literal-block"> +.. csv-table:: :url: file:///etc/passwd </pre> </div> </div> diff --git a/docutils/test/functional/input/dangerous.txt b/docutils/test/functional/input/dangerous.txt index 2c1e55251..b3c69d14e 100644 --- a/docutils/test/functional/input/dangerous.txt +++ b/docutils/test/functional/input/dangerous.txt @@ -10,4 +10,5 @@ Potentially dangerous features (security holes): <script> that does something really nasty </script> - +.. csv-table:: :file: /etc/passwd +.. csv-table:: :url: file:///etc/passwd |