M.-A. Lemburg wrote at 2008-8-12 13:41 +0200:
> ...
>While I have not yet been able to break out of the restricted
>environment without help from installed products, there are a few
>denial-of-service attacks which can easily be deployed on sites
>allowing adding Python Scripts to a user folder:
>1. Attack:
>Put this into a "Script (Python)" object and run it:
>return 'kaboom'.encode('test.testall')

Attacks like this are well known and it is very difficult
to prevent them reliably:

   Script (Python) (for good reasons) allows "while"
   and with it it is trivial to

     * create infinite loops

     * consume an unbound amount of memory

That we hear very few problem reports in this respect
indicates that these "insecurities" have very
little practical importance -- maybe, because few installations grant
the creation of scripts to untrusted people.

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to