[Zope] Script (Python) insecure ?
Dieter Maurer
dieter at handshake.de
Sat Aug 16 02:00:36 EDT 2008
M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
> ...
>While I have not yet been able to break out of the restricted
>environment without help from installed products, there are a few
>denial-of-service attacks which can easily be deployed on sites
>allowing adding Python Scripts to a user folder:
>
>1. Attack:
>
>Put this into a "Script (Python)" object and run it:
>
>return 'kaboom'.encode('test.testall')
Attacks like this are well known and it is very difficult
to prevent them reliably:
Script (Python) (for good reasons) allows "while"
and with it it is trivial to
* create infinite loops
* consume an unbound amount of memory
That we hear very few problem reports in this respect
indicates that these "insecurities" have very
little practical importance -- maybe, because few installations grant
the creation of scripts to untrusted people.
--
Dieter
More information about the Zope
mailing list