[Zope] Script (Python) insecure ?

Andreas Jung lists at zopyx.com
Tue Aug 12 13:44:31 EDT 2008



--On 12. August 2008 19:38:16 +0200 "M.-A. Lemburg" <mal at egenix.com> wrote:

> On 2008-08-12 18:04, Tres Seaver wrote:
>> Garito wrote:
>>> The same question again and again
>>
>>> As a Zope user I prefer to know as soon as possible if Zope has security
>>> problems like those
>>
>>> Perhaps the correct way will be to send the problem to the zope people
>>> and 2 weeks later then make it public
>>
>>> I think 2 weeks is a very correct period to solve a problem if not, I
>>> want to try to solve the problem for myself
>>
>>> But I shout my mouth, sorry Andreas ;)
>>
>>> 2008/8/12 Andreas Jung <lists at zopyx.com>
>>
>>>> *sigh*
>>>>
>>>> I wished that both exploits were reported to the Zope bugtracker in
>>>> order to work on solutions before making the exploits public.
>>
>> Right:  we would just like time to investigate the problem so that we
>> can announce the problem and the workaround / hotfix / new releases
>> simultaneously.  Two weeks would be longer than I would expect that
>> process to take.
>
> Next time, I'll post the report to the tracker and mark it private.
>
> I really didn't have any intention of making your work harder than
> it already is - I must admit that I wouldn't have thought of the
> issue being that important.
>
> OTOH, I do think that the PythonScript product will need some
> more security audit, esp. since the restricted environment
> safety belt checks are no longer being maintained in the Python
> interpreter code and will likely go away completely for
> Python 3.x.
>
> It may be better to remove the PythonScript product altogether and
> instead use ExternalMethods.

My conclusion after almost 9 years with Zope: PythonScripts and trusted
code was a good and nice feature in the "early days" of Zope. The future
is clearly trusted code in all its flavors. RestrictedPython, 
through-the-web editing (ZMI) and stuff like ZClasses should die - however 
they must remain until the end of time - for the sake of compatibility.

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20080812/9c0c7382/attachment.bin 


More information about the Zope mailing list