[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13
Chris Withers
chrisw@nipltd.com
Tue, 17 Dec 2002 20:52:28 +0000
R. David Murray wrote:
> On Tue, 17 Dec 2002, Chris Withers wrote:
>
>>But you can already import arbitary modules if you dump them in the Products
>>directory. Is that dangerous?
>
>
> FSVO dangerous, yes <grin>. But that's a facetious answer.
>
> The issue here (assuming I'm understanding it correctly, of course)
> is that once your patch is in, someone can do that arbitrary import
> from a pythonscript through the web.
This isn't the case at all. The patch 'pre-imports' the module to give it a
chance to make security declarations. Any module failing to do so will still
fail to import.
>>It'd probably be just as easy for someone with the prerequisite knowledge to
>>spend 5 minutes coming up with a fix that makes everyone happy and the secuirty
>>assertions work as documented.
>
> Yeah, if someone with the requisite knowledge has the five minutes
> *and* the motivation....
Indeed.
Chris