[Zope] Calling External Method...

Chris McDonough chrism@digicool.com
Sat, 20 May 2000 22:34:44 -0400


> 
> DTML Method that calls the External Method:
> <dtml-var standard_html_header>
> <h2><dtml-var title_or_id></h2>
>    <dtml-let cmdLine="'./websim'">
>      <dtml-var "ExecCGI(cmdLine)">
>    </dtml-let>
> <dtml-var standard_html_footer>

Geez, this is a pretty bad idea security-wise.  Your xCGI Python
function has a docstring and is therefore web-callable, so basically
you're letting anyone who can access your Zope instance run any program
on your server by passing it in as the cmdLine, e.g.
http://yourserver/ExecCGI?cmdLine=rm%20-rf%20*.  I know that's not your
problem right now, but you should reconsider this decision at some
point.

> /usr/local/Zope/lib/python/Products/ExternalMethod/ExternalMethod.py,
> line 248, in __call__
>     (Object: ExecCGI)
>     (Info: (('./websim',), {}, None))
>   File /usr/local/Zope/Extensions/ExecCGI.py, line 11, in xCGI
> TypeError: (see above)

I *think* this error message is telling you that it can't format the
status code as an integer in your raise statement.  Why don't you take
out your status checking code and see what happens.