In article <37DE5A9A.3B5EBBA0@4-am.com>, Evan Simpson <evan@4-am.com> writes
Robin Becker wrote:
Couldn't this and similar things be done as a property setting on the method. The you could have a proxy security to allow various degrees of un-safeness rather than just hack the code for all people. So really safe people could open files on the server etc others could do regexps etc etc.
Well... Sort of. I mean, yes, obviously this can be done, but there's a problem; Once *anyone* is allowed access to unsecure PythonMethod you've got a fairly large security risk going unless you routinely manage your server through https.
Suppose someone snoops your management sessions and grabs the username/password you use for site administration. Normally, this lets them destroy or subvert the contents of your ZODB, but that's all. With scarywildunchained PythonMethods in the picture, they now have full access to your system as 'nobody', or whatever you run Zope under. On Windows, at least, this could be effectively root access.
This *can* be made secure (I think) by routing all management through an SSL- enabled server and shutting off Zope2's other port access methods, but it's not secure by *default*, which is a concern.
The upshot of all this is that I'll probably make unsecure PythonMethods an option, but not through the web-interface. I'll probably make it a switch in the source code, down in a broom closet in the basement with a sign on the door saying "Beware of the Leopard".
and-don't-forget-the-toe-gremlins-ly y'rs Evan Simpson ... Ok I see we're getting more deeply into what can be imported and what can't. How can you snoop into another thread? As I understand it at present the PMs can only access their locals. If I can get access to any form of peek/poke I can certainly do nasty things. But can I do this with the re module? The sys module is certainly dangerous as is the thread module since it might allow us to use up all the threads. Since denial of service is possible with looping constructs any form of non resource limited thing is insecure. I'm fairly sure individual threads in Python aren't resource limited and unless Zope contains some kind of watchdog simple PMs are insecure. Importing re might make them more insecure by using up resources more rapidly (I believe certain regexps are very cpu intensive), but I don't think they change the quality of the insecurity. -- Robin Becker