[Zope] Are ZEXP files safe?
Martijn Pieters
mj at zopatista.com
Fri Mar 2 16:10:18 EST 2007
On 3/2/07, Jordan Baker <jbb at scryent.com> wrote:
> I seem to recall hearing in the past that unpickling in general was
> insecure for some reason.
>
> I'd like to allow less-priveleged users to upload their ZEXP files on
> their own and import them into their own Folders.
>
> Are there any security issues with ZEXP import?
You heard correctly; pickles can contain arbitrary python classes and
code and no security checks are done when importing ZEXP files. This
means a user can completely control your server with a correctly
crafted upload.
--
Martijn Pieters
More information about the Zope
mailing list