Hello, after Chris Withers lightning talk at EPC 2008 I had a closer look at the implementation of Python Scripts in Zope 2.11.
While I have not yet been able to break out of the restricted environment without help from installed products, there are a few denial-of-service attacks which can easily be deployed on sites allowing adding Python Scripts to a user folder: 1. Attack: Put this into a "Script (Python)" object and run it: return 'kaboom'.encode('test.testall') This results in a denial-of-service, since Zope will hang running the Python test suite. The reason for this is a problem in the way the encoding search function works in Python 2.4. This was changed in 2.5 to no longer allow searching for codecs outside the encodings package. 2. Attack: Put this into a "Script (Python)" object and run it: raise SystemExit This shuts down Zope. The Python Script environment should obviously catch such exceptions and not let them propagate up the call stack. I found the second attack rather surprising, as it doesn't require deep knowledge about Python's interna. Regards, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 12 2008) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ :::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )