[Zope] Script (Python) insecure ?

M.-A. Lemburg mal at egenix.com
Tue Aug 12 13:38:16 EDT 2008 

On 2008-08-12 18:04, Tres Seaver wrote:
> Garito wrote:
>> The same question again and again
> 
>> As a Zope user I prefer to know as soon as possible if Zope has security
>> problems like those
> 
>> Perhaps the correct way will be to send the problem to the zope people and 2
>> weeks later then make it public
> 
>> I think 2 weeks is a very correct period to solve a problem if not, I want
>> to try to solve the problem for myself
> 
>> But I shout my mouth, sorry Andreas ;)
> 
>> 2008/8/12 Andreas Jung <lists at zopyx.com>
> 
>>> *sigh*
>>>
>>> I wished that both exploits were reported to the Zope bugtracker in order
>>> to work on solutions before making the exploits public.
> 
> Right:  we would just like time to investigate the problem so that we
> can announce the problem and the workaround / hotfix / new releases
> simultaneously.  Two weeks would be longer than I would expect that
> process to take.

Next time, I'll post the report to the tracker and mark it private.

I really didn't have any intention of making your work harder than
it already is - I must admit that I wouldn't have thought of the
issue being that important.

OTOH, I do think that the PythonScript product will need some
more security audit, esp. since the restricted environment
safety belt checks are no longer being maintained in the Python
interpreter code and will likely go away completely for
Python 3.x.

It may be better to remove the PythonScript product altogether and
instead use ExternalMethods.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 12 2008)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
            Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Zope mailing list