[Zope] BIG security hole in www.zope.org
Andy Dustman
adustman@comstar.net
Thu, 16 Sep 1999 18:09:47 -0400 (EDT)
On Thu, 16 Sep 1999 davidbro@namshub.org wrote:
> I can see it... I think he's right.
>
> Perhaps this is a general Zope problem. He got the index_html through
> aquisition, and it editted it in place.
>
> Perhaps it should work like NewtonScript -- you could get to object
> attributes in a similar way, but if you changed them, it stored the
> changed attribute in the local object, rather than in the inheritted
> object.
>
> Like this: ObjectA has attribute A, and ObjectB inherits from ObjectA.
> You can evaluate an expression like "ObjectB.A" and it would fetch the
> value from ObjectA. But if you chaged the value, like "ObjectB.A =
> foo", that created an attribute A in ObjectB. Copy on write, so to
> speak.
Yeah, I was hoping it worked that way. Hopefully this is just a problem
with the Zope web site and not Zope itself.
--
andy dustman | programmer/analyst | comstar.net, inc.
telephone: 770.485.6025 / 706.549.7689 | icq: 32922760 | pgp: 0xc72f3f1d