M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
...
While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
denial-of-service attacks which can easily be deployed on sites
allowing adding Python Scripts to a user folder:
1.
On 2008-08-16 08:00, Dieter Maurer wrote:
M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
...
While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
denial-of-service attacks which can easily be deployed on sites
allowing
--On 16. August 2008 13:11:13 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote:
In my experience, attempts to create a sandbox that protects
sufficiently against unwanted resource usage are either too
restrictive and slow to make them useful or have problems
preventing DOS attacks.
I think you
On 2008-08-16 13:39, Andreas Jung wrote:
--On 16. August 2008 13:11:13 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote:
In my experience, attempts to create a sandbox that protects
sufficiently against unwanted resource usage are either too
restrictive and slow to make them useful or have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
M.-A. Lemburg wrote:
On 2008-08-16 08:00, Dieter Maurer wrote:
M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
...
While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
Andreas Jung wrote:
BTW: The reason why I had a look at these was that Chris Withers
mentioned at EuroPython that they are currently causing delays
in the Python 2.5 adoption (or at least are one of the reasons
for them).
Is Chris' talk somewhere online?
Sorry, they were just quick
Thanks Andreas, for creating a hotfix for this issue!
--On 12. August 2008 17:14:15 + Maurits van Rees
[EMAIL PROTECTED] wrote:
Andreas Jung, on 2008-08-12:
After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.
I forgot to mention that the
Hello,
after Chris Withers lightning talk at EPC 2008 I had a closer look
at the implementation of Python Scripts in Zope 2.11.
While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
denial-of-service attacks which can
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.
--On 12. August 2008 13:41:04 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote:
Hello,
1. Attack:
Put this into a Script (Python) object and run it:
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security
problems like those
Perhaps the correct way will be to send the problem to the zope people and 2
weeks later then make it public
I think 2 weeks is a very correct period to solve a problem
--On 12. August 2008 14:16:44 +0200 Andreas Jung [EMAIL PROTECTED] wrote:
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.
--On 12. August 2008 13:41:04 +0200 M.-A. Lemburg [EMAIL PROTECTED]
wrote:
--On 12. August 2008 16:05:47 +0200 Andreas Jung [EMAIL PROTECTED] wrote:
--On 12. August 2008 14:16:44 +0200 Andreas Jung [EMAIL PROTECTED] wrote:
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.
--On 12. August 2008 17:19:54 +0200 Andreas Jung [EMAIL PROTECTED] wrote:
I created a preliminary hotfix
http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz/view
After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.
I forgot to mention
--On 12. August 2008 17:31:06 +0200 Andreas Jung [EMAIL PROTECTED] wrote:
--On 12. August 2008 17:19:54 +0200 Andreas Jung [EMAIL PROTECTED] wrote:
I created a preliminary hotfix
http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz/view
After rough test: it seems to work for Zope
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Garito wrote:
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security
problems like those
Perhaps the correct way will be to send the problem to the zope people and 2
weeks later then make it
Andreas Jung, on 2008-08-12:
After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.
I forgot to mention that the hotfix also seems to work for Zope 2.9.
(third-party confirmations are highly appreciated).
Update: the hotfix although works for Zope
Maurits van Rees, on 2008-08-12:
That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz
Oh, that tarball contains a .svn directory...
I took the liberty of committing a change to the text of the raised
ValueError to make it a proper sentence. Old:
SystemExit can not raised
On 2008-08-12 18:04, Tres Seaver wrote:
Garito wrote:
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security
problems like those
Perhaps the correct way will be to send the problem to the zope people and 2
weeks later then make it
--On 12. August 2008 19:38:16 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote:
On 2008-08-12 18:04, Tres Seaver wrote:
Garito wrote:
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security
problems like those
Perhaps the correct way will
+---[ Andreas Jung ]--
|
| My conclusion after almost 9 years with Zope: PythonScripts and trusted
| code was a good and nice feature in the early days of Zope. The future
| is clearly trusted code in all its flavors. RestrictedPython,
| through-the-web editing (ZMI) and
--On 12. August 2008 17:14:15 + Maurits van Rees
[EMAIL PROTECTED] wrote:
Andreas Jung, on 2008-08-12:
After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.
I forgot to mention that the hotfix also seems to work for Zope 2.9.
(third-party
On 2008-08-12 20:49, Andreas Jung wrote:
--On 12. August 2008 17:14:15 + Maurits van Rees
[EMAIL PROTECTED] wrote:
Andreas Jung, on 2008-08-12:
After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.
I forgot to mention that the hotfix also
22 matches
Mail list logo