[Zope] Re: How to use methods from OFS?
Martin Gebert
Murphy@members.netsolution-net.de
Tue, 15 Oct 2002 21:13:28 +0200
Josef Meile schrieb:
>>please read:
>>
>>Zope/lib/python/Products/PythonScripts/README.txt
>>
>>
>
>Nice, but I think allowing modules isn't the solution. When
>I was a newie, I had the same question about the "eval" function,
>then somebody answers me that if you allowed that function,
>a skill user could make a malicious script which erases information
>of your zope server, or even he could call the function itself through
>the web. So, I guess that if the Zope developers didn't include a
>module / function is because it has some security isues. Perhaps the
>solution would be creating an external method that calls the routine
>you need.
>
>
On the other hand, the Zope Image and File objects do use the same
method, so I (am willing to) trust the provided code, esp. 'cause it's
part of the Zope core. Of course I was restrictive in providing access
to that function, and didn't make the whole module available...
Do you (or anybody else) know more about the security issues in using
OFS or other modules this way? Is there *positively* a problem? To which
extend?
Martin