[Zope] - ANN: CodeIt does Zope hosting

Paul Everitt Paul@digicool.com
Fri, 22 Jan 1999 19:18:50 -0500


Gabe wrote:
> I'm curious -- has Zope been analyzed from a security point of view? I
> honestly haven't thought this through -- perhaps the security 
> issues are no
> more than that of CGI..

If "analyzed" means "Did we get a 3rd party audit?", no.

However, the whole of Zope was built for safe, through-the-web editing.
Security is the reason that some things aren't as elegant as you'd like,
such as the expression syntax and not storing Python code in the
database.

In general, when talking about the through-the-web part of Zope:

o The access control machinery tries to cover nearly everything

o Jim Fulton went to great lengths to make DTML and expr's "safe",
though more work can be done.

o Hallelujah, you _don't_ deal with files on the filesystem! :^)

o All user information and security information is internal to Zope and
not mixed in with /etc/passwd or group, file system permissions, etc.

o Users only exist in their part of the Folder system, thus can't take
control of someone else's area

...plus more I probably haven't thought of.
 
--Paul