On Sun, 18 Jul 1999, Robin Becker wrote:
In article <lswvvxkauu.fsf@aldous.digicool.com>, michel@digicool.com writes
Robin Becker <robin@jessikat.demon.co.uk> writes:
...
XML-RPC worms (now THAT would be cool!). The last thing we want to see is a back orifice for Zope, which is exactly what I think could be developed if we ever provided a hole through Zope's security machinery.
-Michel in which case why allow any external methods since these allow exactly the things you wish to forbid. Well, that's why they have to be installed in the filesystem. A mere Zope site manager password is not enough for this :)
Sitting at a terminal I can create a hole this hole which is propagated via Zope. What is the difference if the hole is programmed via Zope. The difference is authentication. I might allow some dummies management access to Zope. Allowing the user to add his own external methods without administration intervention is like allowing the user to install his own CGI scripts. This can go wrong very fast.
Andreas -- Win95: n., A huge annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.