[Zope] [ZSyncer] XML-RPC considered bad
Martijn Pieters
mj at zope.com
Thu Nov 20 16:21:00 EST 2003
On Thu, Nov 20, 2003 at 07:14:18PM +0100, Dieter Maurer wrote:
> I made a ZSyncer variant that uses ZPublisher.Client as
> RPC protocol and Python's "pickle" to marshal data. This gets
> rid of XML-RPC. If anyone is interested, let me know...
Watch out with pickles; if I can upload an arbitrary pickle to your machine
I can get full control of your Zope process, as pickles would allow me to
construct arbitrary instances of python objects.
--
Martijn Pieters
| Software Engineer mailto:mj at zope.com
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
---------------------------------------------
More information about the Zope
mailing list