M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
> ...
>While I have not yet been able to break out of the restricted
>environment without help from installed products, there are a few
>denial-of-service attacks which can easily be deployed on sites
>allowing adding Python Scripts to a user folder:
>
>1. Attack:
>
>Put this into a "Script (Python)" object and run it:
>
>return 'kaboom'.encode('test.testall')
Attacks like this are well known and it is very difficult
to prevent them reliably:
Script (Python) (for good reasons) allows "while"
and with it it is trivial to
* create infinite loops
* consume an unbound amount of memory
That we hear very few problem reports in this respect
indicates that these "insecurities" have very
little practical importance -- maybe, because few installations grant
the creation of scripts to untrusted people.
--
Dieter
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
