[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
the sanitize call in template.rb fails
|
From: |
boud |
|
Subject: |
the sanitize call in template.rb fails |
|
Date: |
Sun, 4 Sep 2005 17:47:17 +0200 (CEST) |
hi all,
i've traced the bug in message.rb (in my installation from the .deb
package, anyway).
If i comment out this part of /usr/lib/ruby/1.8/samizdat/engine/template.rb:
Samizdat::Sanitize.new(
cache.fetch_or_add('xhtml') do
File.open('/usr/share/samizdat/xhtml.yaml') {|f| YAML.load(f) }
end
).sanitize(html)
then publication with message.rb works fine.
If i uncomment it, i get the same "The document contains no data"
error i mentioned in my previous emails, after a few dozen seconds.
Clearly, allowing arbitrary html code in articles is a big security
loophole, so it would be nice to have this working...
* i've checked that /usr/share/samizdat/xhtml.yaml exists and is readable:
-rw-r--r-- 1 root root 3905 2005-05-30 13:20 /usr/share/samizdat/xhtml.yaml
* i thought that maybe apache was paranoid about not reading files
outside of the server root, so i tried substituting the file name here
with that of a copy of xhtml.yaml in the directory of the apache user,
readable by the apache user (and writable by the apache user, though
IMHO it would seem strange for this to need to be writable by the
apache user) this also files with the same "The document contains no
data" error after a few dozen seconds.
Any hints on what to check next?
cheers
boud
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- the sanitize call in template.rb fails,
boud <=