[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13
R. David Murray
rdmurray@fcgnetworks.net
Tue, 17 Dec 2002 14:59:41 -0500 (EST)
On Tue, 17 Dec 2002, Chris Withers wrote:
> But you can already import arbitary modules if you dump them in the Products
> directory. Is that dangerous?
FSVO dangerous, yes <grin>. But that's a facetious answer.
The issue here (assuming I'm understanding it correctly, of course)
is that once your patch is in, someone can do that arbitrary import
from a pythonscript through the web. Even if you don't "allow"
untrusted users to to TTW scripting, if someone manages to get
access to create a script through some other bug, they then have
this further hole to try to worm their way through. That's what I
mean by the need for defense in depth.
> It'd probably be just as easy for someone with the prerequisite knowledge to
> spend 5 minutes coming up with a fix that makes everyone happy and the secuirty
> assertions work as documented.
Yeah, if someone with the requisite knowledge has the five minutes
*and* the motivation....
--RDM