On Fri, May 26, 2000 at 11:05:23AM +0100, Steve Alexander wrote:
Here's a very silly idea:
Could you pickle and Base64 encode the data you want to pass, and then shove it in a single hidden control?
I am afraid that is a very silly security hole. Anyone can replace that pickle with any other pickle, which the server will then instanciate. Anything goes. I could, for example, pickle up a ZServer Monitor instance that listens on all interfaces, and uses a password known by me. Base64 this pickle, send it to your server, it'll create this instance, ZServer will pick it up (it works that way, I am told), and suddenly, I can step into your Zope process from anywhere, accessing all of the Zope process without restrictions, and having access to your server as whatever user you are running Zope as. So, no, not a good idea. Accepting pickles over the web never is. -- Martijn Pieters | Software Engineer mailto:mj@digicool.com | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | The Open Source Web Application Server ---------------------------------------------