On 3/2/07, Jordan Baker <[EMAIL PROTECTED]> wrote:
I seem to recall hearing in the past that unpickling in general was
insecure for some reason.

I'd like to allow less-priveleged users to upload their ZEXP files on
their own and import them into their own Folders.

Are there any security issues with ZEXP import?

You heard correctly; pickles can contain arbitrary python classes and
code and no security checks are done when importing ZEXP files. This
means a user can completely control your server with a correctly
crafted upload.

--
Martijn Pieters
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to