On Fri, 8 Nov 2002, Craeg K Strong wrote:
OK
How about this for the TODO list for ExternalFile:
Hope it isn't too late discussing this issue.
I have tested this product and gave up because of
security considerations. And now I have to use
it for large files.
There is another aspect that
Wei He writes:
...
I have an idea, but don't know whether it is possible:
set uid.
If there is a way Zope server can change uid to a predefined
one before accessing an externally linked file, each webmaster
will have permission to their own home directory plus some
shared
OK
How about this for the TODO list for ExternalFile:
Create a facility whereby ExternalFiles must be created
within a set of allowed directory(ies), specified in
.../etc/allowedDirectories.txt
For example:
#
# helpful comment goes here
#
/ # allow everything
#
Or:
#
:25 AM
To: Jonagustine Lim
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [Zope-dev] Re: Unsecure design of ExternalFile
Yikes! Scary stuff.
However, here are some things to consider:
a) ExternalFile advertises itself as being a developers/
content authors tool, not really for production
--- [EMAIL PROTECTED] wrote:
I'm not familiar with ExternalFile, but likely plan
to use it in the future.
I think a list of expressly permitted directory
locations (including all
subdirectories) might be more secure. You can't go
wrong with a default
directory for files (perhaps
On Thu, Nov 07, 2002 at 11:24:35AM -0500, Craeg K Strong wrote:
What would you recommend? Perhaps there should be
a predefined list of forbidden directories for ExternalFiles?
The problem is that-- in the development scenario-- the
very things you mention below might be what you
legitimately