21 Nov
2003
21 Nov
'03
8 p.m.
Martijn Pieters wrote at 2003-11-20 16:21 -0500:
On Thu, Nov 20, 2003 at 07:14:18PM +0100, Dieter Maurer wrote:
I made a ZSyncer variant that uses ZPublisher.Client as RPC protocol and Python's "pickle" to marshal data. This gets rid of XML-RPC. If anyone is interested, let me know...
Watch out with pickles; if I can upload an arbitrary pickle to your machine I can get full control of your Zope process, as pickles would allow me to construct arbitrary instances of python objects.
I can do this with ZSyncer anyway -- even if it uses XML-RPC. Its payload is a pickle that gets imported in the destination. -- Dieter