[Zope] [ZSyncer] XML-RPC considered bad
Dieter Maurer
dieter at handshake.de
Fri Nov 21 15:00:14 EST 2003
Martijn Pieters wrote at 2003-11-20 16:21 -0500:
> On Thu, Nov 20, 2003 at 07:14:18PM +0100, Dieter Maurer wrote:
> > I made a ZSyncer variant that uses ZPublisher.Client as
> > RPC protocol and Python's "pickle" to marshal data. This gets
> > rid of XML-RPC. If anyone is interested, let me know...
>
> Watch out with pickles; if I can upload an arbitrary pickle to your machine
> I can get full control of your Zope process, as pickles would allow me to
> construct arbitrary instances of python objects.
I can do this with ZSyncer anyway -- even if it uses XML-RPC.
Its payload is a pickle that gets imported in the destination.
--
Dieter
More information about the Zope
mailing list