M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
... While I have not yet been able to break out of the restricted environment without help from installed products, there are a few denial-of-service attacks which can easily be deployed on sites allowing adding Python Scripts to a user folder:
1. Attack:
Put this into a "Script (Python)" object and run it:
return 'kaboom'.encode('test.testall')
Attacks like this are well known and it is very difficult to prevent them reliably: Script (Python) (for good reasons) allows "while" and with it it is trivial to * create infinite loops * consume an unbound amount of memory That we hear very few problem reports in this respect indicates that these "insecurities" have very little practical importance -- maybe, because few installations grant the creation of scripts to untrusted people. -- Dieter