[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13
Chris Withers
chrisw@nipltd.com
Tue, 17 Dec 2002 19:06:37 +0000
Shane Hathaway wrote:
>> How so?
>
> It is not safe to let untrusted users import arbitrary modules.
Why not?
>> But surely you'd have to get the module onto the filesystem in order
>> for it to be importable? AFAIR, all bets are off once you can put code
>> onto the filesystem and so for a security hole to be opened by this
>> code, your system would have to be badly compromised anyway...
>
> Not true. You need only import a module that has a side effect or which
> assumes it runs only from the command line.
Can you give me an example?
>> That said, if you can provide a better solution to the problem, I'm
>> all ears :-)
>
> I shouldn't work on this right now. Please revert the change, and we
> can discuss a proper fix later.
I'm loath to remove the fix until a proper solution is found. This one works for
me, but if you (or anyone else) can give me some pointers as to how it _should_
be fixed then I'm happy to do the work.
cheers,
Chris