Andrew Ho [mailto:[EMAIL PROTECTED] wrote: > On Thu, 28 Aug 2003, David Forslund wrote: > > ???!!! This makes no sense. I guess I don't know what you mean by > > callable from URL. > > An example may help: > Let's say if we call > "http://calculator.tools.org/add?a=2&b=3"; and get 5 as the > returned value, then this is a "callable_from_URL" adding machine. > > > I don't think you can execute arbitrary python calls (which is what > > Zope is written in) from a URL. > > We do this all the time. I write a bunch of python routines > and call them by their respective URL. (This is what Zope is, > basically.)
That's not what Dave meant, I think. He meant, you can't execute arbitrary Python program code via a URL. Of course, as a dynamic language, Python let's you configure a Web service to do this if you insist, but it is indeed incredibly dangerous and only an insane person would allow it. Python had some special modes of execution (Rexec and bastion), designed to make such execution of arbitrary code a bit safer, but they have been deprecated due to flaws. That's not to say that Web services, CGI scripts etc run by Python can't be just as secure as those provided by any other language - but the usual rules apply: always check for arbitrary code being submitted in the parameters to calls to defined interfaces etc. Tim C
