Hi, A few people have recently been asking about the ability to import .zexp's into the FreeZope accounts NIP offers. This is something we'd like to offer but need to understand the security risks first. IIRC, the reason why import is not available straight 'through the web' is that there are security implications. Could someone run these by me again... cheers, Chris
Chris Withers wrote:
A few people have recently been asking about the ability to import .zexp's into the FreeZope accounts NIP offers.
This is something we'd like to offer but need to understand the security risks first. IIRC, the reason why import is not available straight 'through the web' is that there are security implications.
Could someone run these by me again...
Simple: it's wildly unpredictable what people would be able to do. With a .zexp it's possible to instantiate any Python class including system classes. But it's not possible to include actual code. So there would probably be a way to access any readable file from the filesystem, shut down Zope, rewrite or remove all content from Data.fs, and maybe even get root by restarting in some strange way, but it would all have to be done in a *really* clever way. That's just the kind of challenge intruders crave. I don't want to have to deal with that, do you? Shane
participants (2)
-
Chris Withers -
Shane Hathaway