Re: [Zope] Python script safety
At 10:18 AM 1/29/2001 +, you wrote: >Robin Becker wrote: > > > > Yes, I can use External Methods if I have access to the machine, but > > those 'trusted' scripts could be just as easily handled by a 'Trusted > > Python Scripts' Zope object which didn't have all the rather (as you say > > yourself) pointless safety checks. Then I could handle the safety issue > > in Zope and not in the base OS. There would be many advantages in having > > allowing 'unsafe' scripting inside the Zope domain. > >I'll second that ;-) I'll third. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Python script safety
Robin Becker wrote: > > Yes, I can use External Methods if I have access to the machine, but > those 'trusted' scripts could be just as easily handled by a 'Trusted > Python Scripts' Zope object which didn't have all the rather (as you say > yourself) pointless safety checks. Then I could handle the safety issue > in Zope and not in the base OS. There would be many advantages in having > allowing 'unsafe' scripting inside the Zope domain. I'll second that ;-) cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Python script safety
In article <[EMAIL PROTECTED] in>, Michel Pelletier <[EMAIL PROTECTED]> writes > > >On Sat, 27 Jan 2001, Robin Becker wrote: > >> seems to be taking an awful lot of my machine's resources > >The saftey restraints in through the web code try to catch only the most >naive programmer errors (like obvious infinite loops ie "while 1:"), *not* >DOS attacks. If you are worried about that, do not give untrusted users >the ability to write scripts or methods. DTML and Perl are just as >susceptible to this problem. For example, all executable code is limited >to a finite number of iterations, but this is trivial to defeat: > > > > > ... > >you get the idea. Only allow trusted users to create executable content. >If you feel the restraints placed on you by through the web scripts to be >too much, use an external method. > >-Michel I feel that allowing any scripting to be public will inevitably invite such attacks. So what you are implying is that even trusted users can make mistakes as allowing non trusted users to do scripting shouldn't be done. When the trusted user has got his script working properly can he then remove the restraints? What happens when I really want to make very large xranges etc or use those rather useful things which are presently forbidden. Yes, I can use External Methods if I have access to the machine, but those 'trusted' scripts could be just as easily handled by a 'Trusted Python Scripts' Zope object which didn't have all the rather (as you say yourself) pointless safety checks. Then I could handle the safety issue in Zope and not in the base OS. There would be many advantages in having allowing 'unsafe' scripting inside the Zope domain. -- Robin Becker ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Python script safety
There seems to be some attempts to avoid DOS attacks by eliminating excessive resource usage. Might I point out that the first script I tried out m=range(99) m=[m,m[:],m[:],m[:],m[:],m[:],m[:]] m=[m,m[:],m[:],m[:],m[:],m[:],m[:]] m=[m,m[:],m[:],m[:],m[:],m[:],m[:]] m=[m,m[:],m[:],m[:],m[:],m[:],m[:]] m=[m,m[:],m[:],m[:],m[:],m[:],m[:]] m=[m,m[:],m[:],m[:],m[:],m[:],m[:]] return m seems to be taking an awful lot of my machine's resources -- Robin Becker ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )