[Zope-dev] Import from upload?

Toby Dickenson tdickenson@geminidataloggers.com
Mon, 05 Jun 2000 10:54:00 +0100


On Thu, 25 May 2000 11:19:30 -0400, "Evan Simpson" <evan@digicool.com>
wrote:

>Yesterday, Jim actually came up with the hint of the start of how web import
>could be made secure.  It should be possibly to write an unpickler which
>consults the security machinery and ensures that the pickle doesn't
>instantiate anything that the user doesn't have permission to make.  It may
>be quite a while before someone actually writes this, unless one of you
>folks wants to give it a shot ;-)

I dont think that's going to fly. It's perfectly ok for a persistant
object to contain something that shouldn't be creatable.

For example, suppose I create my own DateTime class, which appears as
an attribute of a well behaved product class. I use ZCatalog to index
these attributes, then export the ZCatalog. Who can tell whether
MyDateTime is safe?



Toby Dickenson
tdickenson@geminidataloggers.com