| Author: | David Goodger |
|---|---|
| Contact: | docutils-develop@lists.sourceforge.net |
| Date: | 2012-01-03 |
| Revision: | 7302 |
| Copyright: | This document has been placed in the public domain. |
Contents
Initially, Docutils was intended for command-line tools and single-user applications. Through-the-web editing and processing was not envisaged, therefore web security was not a consideration. Once Docutils/reStructuredText started being incorporated into an ever-increasing number of web applications (blogs, wikis, content management systems, and others), several security issues arose and have been addressed. This document provides instructions to help you secure the Docutils software in your applications.
Docutils does not come in a through-the-web secure state, because this would inconvenience ordinary users
There are several reStructuredText directives that can insert external data (files and URLs) into the immediate document. These directives are:
The "include" directive and the other directives' file insertion features can be disabled by setting "file_insertion_enabled" to 0/false.
The "raw" directive is intended for the insertion of non-reStructuredText data that is passed untouched to the Writer. This directive can be abused to bypass site features or insert malicious JavaScript code into a web page. The "raw" directive can be disabled by setting "raw_enabled" to 0/false.
If your application calls Docutils via one of the convenience functions, you can pass a dictionary of default settings that override the component defaults:
defaults = {'file_insertion_enabled': 0,
'raw_enabled': 0}
output = docutils.core.publish_string(
..., settings_overrides=defaults)
Note that these defaults can be overridden by configuration files (and command-line options if applicable). If this is not desired, you can disable configuration file processing with the _disable_config setting:
defaults = {'file_insertion_enabled': 0,
'raw_enabled': 0,
'_disable_config': 1}
output = docutils.core.publish_string(
..., settings_overrides=defaults)
You should secure Docutils via a configuration file:
If you call Docutils programmatically, it may be preferable to use the methods described in section below.
Docutils automatically looks in three places for a configuration file:
These locations can be overridden by the DOCUTILSCONFIG environment variable. Details about configuration files, the purpose of the various locations, and DOCUTILSCONFIG are available in the "Configuration Files" section of Docutils Configuration.
To fully secure your Docutils installation, the configuration file should contain the following lines:
[general] file-insertion-enabled: raw-enabled:
Note
Due to a bug in the definitions of these security-related settings, the right-hand-side of the above lines (the values) should be left blank, as shown. The bug was corrected on 2006-11-12 and is reflected in Docutils releases 0.4.1 and higher. In these versions, more verbose forms may be used, such as:
[general] file-insertion-enabled: off raw-enabled: no
The file_insertion_enabled & raw_enabled settings were added to Docutils 0.3.9; previous versions will ignore these settings. A bug existed in the configuration file handling of these settings in Docutils 0.4 and earlier. The bug was fixed with the 0.4.1 release on 2006-11-12.