[ZODB-Dev] How to implement a production / test environment
using zope ?
Tom Jenkins
tjenkins@devis.com
08 Nov 2001 18:50:21 -0500
We have started using the ZSyncer product. We patched it to allow https
connections; i dont know if Andy has put the patch into his source
tree. Basically zsyner uses xmlrpc to move objects from one zope
installation to another zope installation.
On Thu, 2001-11-08 at 17:49, Michel Pelletier wrote:
> Steve Spicklemire wrote:
> >
> >
> > You might also consider ZSyncer (I forget the URL) which does a similar
> > trick, but using a different approach (direct sync between two Zopes).
>
> I have not seen ZSyncer yet, but I spoke with Jim a while ago about
> foreign pickles, and what he had to say was kind of alarming. I always
> knew that pickles from untrusted sources could be dangerous, but I
> didn't realize how.
>
> Immagine a pickle that says it's a medusa 'monitor_server' instance and
> contains data like a secret backdoor port to listen in on. If you don't
> know where your pickles are coming from, someone could easily sneak a
> pickle like this into the data and you would never know. Upon
> unpickling some innocent object, you would also be unpickling a backdoor
> right into your system.
>
> This is also why ZClass based products can be more risky than Python
> based ones, you can always read the Python for backdoors, but browsing
> binary pickles takes detailed knowledge of the pickle format. To
> mitigate a bit of that risk, a command line scanner tool could probably
> be created that verified a ZODB or export file to contain only an
> approved set of pickles and issue warnings for uknown or malicious ones.
>
> The point is, know where your pickles (and code!) come from and make
> sure you trust that source. If you allow two Zope's to sync their
> object data, make sure that connection is totally secure.
>
> -Michel
>
> _______________________________________________
> For more information about ZODB, see the ZODB Wiki:
> http://www.zope.org/Wikis/ZODB/
>
> ZODB-Dev mailing list - ZODB-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zodb-dev
--
Tom Jenkins
Development InfoStructure
http://www.devis.com