I will add the URL test. In addition, I will pass a long symettric 64 bit key 
to the external method as a parameter, and require the external method to 
confirm that the correct key was passed. Since only I have access to my file 
system and to my ZMI this is sufficient.

Extraneously, I would like to say how excited I am about the willingness of 
Zopistas to respond to questions from an ordinary user like me. Everyone talks 
about the buzzword frameworks Django and RoR. But the most important factor for 
a user ought to be the ability to get support online. On this point I don't see 
how Zope could be much better, as long as we ordinary users don't abuse it.

Zope Corporation is opening an office in Northern Virginia, and that says to me 
that the commercial Zope community is growing. If I apply myself then maybe in 
a few years I would be part of it myself.

Just my two shekels.

-----Original Message-----
From: Jonathan [mailto:[EMAIL PROTECTED]
Sent: Friday, January 26, 2007 2:30 PM
To: Mark, Jonathan (Integic); zope@zope.org
Subject: Re: [Zope] Is there any way to turn off the publishing of
externalmethods to the web in Zope?

----- Original Message ----- 
From: "Mark, Jonathan (Integic)" <[EMAIL PROTECTED]>
To: "Jonathan" <[EMAIL PROTECTED]>; <zope@zope.org>
Sent: Friday, January 26, 2007 2:32 PM
Subject: RE: [Zope] Is there any way to turn off the publishing of 
externalmethods to the web in Zope?

> Using a proxy role on the calling Python Script worked. My guess is that a 
> clever hacker could call the Python Script continually and then create a 
> race condition that would permit him to call the External Method directly 
> in a URL, thus passing the External Method his own malicious parameters.

That's why i suggested, in an earlier response, a URL test within the 
external method.


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to