rst parser does not support 'raw' directive per default (security risk)

2026-02-13 06:43:52 +00:00 · 2012-05-01 22:55:06 +02:00
parent e95f155af3
commit 28b68d914e
2 changed files with 11 additions and 3 deletions
--- a/compiler/docgen.nim
+++ b/compiler/docgen.nim
@@ -72,7 +72,7 @@ proc initIndexFile(d: PDoc) =
  d.indexValFilename = changeFileExt(extractFilename(d.filename), HtmlExt)
  if ExistsFile(gIndexFile): 
    d.indexFile = rstParse(readFile(gIndexFile), gIndexFile, 0, 1, 
-                           dummyHasToc, {})
+                           dummyHasToc, {roSupportRawDirective})
    d.theIndex = findIndexNode(d.indexFile)
    if (d.theIndex == nil) or (d.theIndex.kind != rnDefList): 
      rawMessage(errXisNoValidIndexFile, gIndexFile)
@@ -96,6 +96,7 @@ proc newDocumentor(filename: string): PDoc =
  result.filename = filename
  result.id = 100
  result.splitAfter = 20
+  result.options = {roSupportRawDirective}
  var s = getConfigVar("split.item.toc")
  if s != "": result.splitAfter = parseInt(s)
  
@@ -885,7 +886,8 @@ proc CommandRstAux(filename, outExt: string) =
  var filen = addFileExt(filename, "txt")
  var d = newDocumentor(filen)
  initIndexFile(d)
-  var rst = rstParse(readFile(filen), filen, 0, 1, d.hasToc, {})
+  var rst = rstParse(readFile(filen), filen, 0, 1, d.hasToc,
+                     {roSupportRawDirective})
  d.modDesc = renderRstToOut(d, rst)
  writeOutput(d, filename, outExt)
  generateIndex(d)
--- a/compiler/rst.nim
+++ b/compiler/rst.nim
@@ -68,6 +68,8 @@ type
    roSkipPounds,             ## skip ``#`` at line beginning (documentation
                              ## embedded in Nimrod comments)
    roSupportSmilies,         ## make the RST parser support smilies like ``:)``
+    roSupportRawDirective     ## support the ``raw`` directive (don't support
+                              ## it for sandboxing)
  
  TRstParseOptions* = set[TRstParseOption]
  
@@ -1629,7 +1631,11 @@ proc parseDotDot(p: var TRstParser): PRstNode =
    of dkTitle: result = dirTitle(p)
    of dkContainer: result = dirContainer(p)
    of dkContents: result = dirContents(p)
-    of dkRaw: result = dirRaw(p)
+    of dkRaw:
+      if roSupportRawDirective in p.s.options:
+        result = dirRaw(p)
+      else:
+        rstMessage(p, errInvalidDirectiveX, d)
    of dkCodeblock: result = dirCodeBlock(p)
    of dkIndex: result = dirIndex(p)
    else: rstMessage(p, errInvalidDirectiveX, d)