[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13
Martijn Pieters
mj@zope.com
Tue, 17 Dec 2002 16:13:15 -0500
On Tue, Dec 17, 2002 at 08:53:39PM +0000, Chris Withers wrote:
> Martijn Pieters wrote:
> >On Tue, Dec 17, 2002 at 07:46:18PM +0000, Chris Withers wrote:
> >
> >>But you can already import arbitary modules if you dump them in the
> >>Products directory. Is that dangerous?
> >
> >The point is that untrusted users can cause imports.
>
> But they can do that anyway, just by dumping a package in the Products
> directory.
If you can dump something in the Products dir, you already have plenty of
access.
> >Only admins can cause
> >packages to be placed in Products; your change allows *any* package to be
> >imported.
>
> But only 'admins' can install packages...
They may be different people.
--
Martijn Pieters
| Software Engineer mailto:mj@zope.com
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
---------------------------------------------