[z3-five] Unexpectedly unprotected code
Lennart Regebro
regebro at gmail.com
Fri Feb 2 10:15:10 CET 2007
On 2/1/07, Paul Winkler <pw_lists at slinkp.com> wrote:
> Yeah, but nowhere is it written in stone that the security model of
> TTW code needs to be different than the security model of filesystem
> code. I'm heretically suggesting that we consider whether this
> distinction does more harm than good. For a trivial example, the old
> "import re is not allowed" FAQ. IIRC the motivation for disallowing
> re is that regular expressions can be indeterminately slow and a naive
> scripter might create code that's an easy DOS target - or a malicious
> scripter might do so deliberately. In that case at least, I'm now
> pretty firmly on the side of "give 'em the rope and if they hang
> themselves, it's their own problem".
For re, yes. But for other things, no. It's a case of multiple not
serious security holes possibly combining nto a serous one. If you can
do anything in a TTW, then all you need is to find one hole, that
allows to change a TTW-script, and all security of the system is
completely gone.
So that that TTW code needs a different security model than filesystem
code IS written in stone.
However, is is not written in stone that the quick hacky development
you can do in Zope2 must be TTW. ;)
--
Lennart Regebro: Python, Zope, CPS, Plone consulting.
+33 661 58 14 64
More information about the z3-five
mailing list