[Zope-dev] Import from upload?
Toby Dickenson
tdickenson@geminidataloggers.com
Mon, 05 Jun 2000 10:54:00 +0100
On Thu, 25 May 2000 11:19:30 -0400, "Evan Simpson" <evan@digicool.com>
wrote:
>Yesterday, Jim actually came up with the hint of the start of how web import
>could be made secure. It should be possibly to write an unpickler which
>consults the security machinery and ensures that the pickle doesn't
>instantiate anything that the user doesn't have permission to make. It may
>be quite a while before someone actually writes this, unless one of you
>folks wants to give it a shot ;-)
I dont think that's going to fly. It's perfectly ok for a persistant
object to contain something that shouldn't be creatable.
For example, suppose I create my own DateTime class, which appears as
an attribute of a well behaved product class. I use ZCatalog to index
these attributes, then export the ZCatalog. Who can tell whether
MyDateTime is safe?
Toby Dickenson
tdickenson@geminidataloggers.com