Are ZEXP files safe? - Zope - Zope lists

newer
execv inside zope

Are ZEXP files safe?

older
can someone help me with PIL

Jordan Baker

2 Mar 2007 2 Mar '07

8:21 p.m.

I seem to recall hearing in the past that unpickling in general was insecure for some reason. I'd like to allow less-priveleged users to upload their ZEXP files on their own and import them into their own Folders. Are there any security issues with ZEXP import? Thanks, -jordan. jbb@scryent.com

Reply

Sign in to reply online Use email software

Show replies by date

Martijn Pieters

2 Mar 2 Mar

9:10 p.m.

New subject: [Zope] Are ZEXP files safe?

On 3/2/07, Jordan Baker <jbb@scryent.com> wrote:

I seem to recall hearing in the past that unpickling in general was insecure for some reason.

I'd like to allow less-priveleged users to upload their ZEXP files on their own and import them into their own Folders.

Are there any security issues with ZEXP import?

You heard correctly; pickles can contain arbitrary python classes and code and no security checks are done when importing ZEXP files. This means a user can completely control your server with a correctly crafted upload. -- Martijn Pieters

Reply

Sign in to reply online Use email software

6974

Age (days ago)

6974

Last active (days ago)

1 comments

2 participants

tags

participants (2)

Jordan Baker
Martijn Pieters