[Zope-dev] Re: Unsecure design of ExternalFile
Jonagustine Lim
jonagustine_lim@yahoo.com
Thu, 7 Nov 2002 11:15:53 -0800 (PST)
--- sean.upton@uniontrib.com wrote:
> I'm not familiar with ExternalFile, but likely plan
> to use it in the future.
> I think a list of expressly permitted directory
> locations (including all
> subdirectories) might be more secure. You can't go
> wrong with a default
> directory for files (perhaps
> $INSTANCE_HOME/var/files or something?), but
> otherwise an implicit deny all - then leave it up to
> the user to edit some
> access list file in the product (for example, call
> it 'diraccess.txt').
> Does this seem reasonable?
Yeah that sounds reasonable to me.
Jon
=====
------------------------------------------
JONAGUSTINE LIM
Email: jonagustine_lim@yahoo.com
ICQ: 2084238
------------------------------------------
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2