[Zope] Passing all POST variables?

Martijn Pieters mj@digicool.com
Fri, 26 May 2000 14:17:40 +0200


On Fri, May 26, 2000 at 11:05:23AM +0100, Steve Alexander wrote:
> Here's a very silly idea:
> 
> Could you pickle and Base64 encode the data you want to pass, and then
> shove it in a single hidden control?

I am afraid that is a very silly security hole. Anyone can replace that pickle
with any other pickle, which the server will then instanciate. Anything goes.

I could, for example, pickle up a ZServer Monitor instance that listens on all
interfaces, and uses a password known by me. Base64 this pickle, send it to
your server, it'll create this instance, ZServer will pick it up (it works
that way, I am told), and suddenly, I can step into your Zope process from
anywhere, accessing all of the Zope process without restrictions, and having
access to your server as whatever user you are running Zope as.

So, no, not a good idea. Accepting pickles over the web never is.

-- 
Martijn Pieters
| Software Engineer    mailto:mj@digicool.com
| Digital Creations  http://www.digicool.com/
| Creators of Zope       http://www.zope.org/
|   The Open Source Web Application Server
---------------------------------------------