[Zope-dev] use of exec in products considered harmful?
Toby Dickenson
tdickenson@geminidataloggers.com
Mon, 13 Mar 2000 12:55:54 +0000
On Fri, 10 Mar 2000 15:54:36 -0800, "Jonothan Farr" <jfarr@real.com>
wrote:
>I'm considering doing something in the LocalFS product that seems like a
>potentially huge security risk, which is calling exec on a string submitted
>through a form.
Yeah, thats a big hole.
> The reason is that I want to allow users to customize the object
>class associated with different content-types when the product constructs a Zope
>object from a local file.
Would something like the Brains class that can be set for SQL methods
do the job?
Toby Dickenson
tdickenson@geminidataloggers.com