[Zope-dev] Zope client? (invitation for developers)

Itamar Shtull-Trauring itamar@maxnm.com
Thu, 11 May 2000 10:52:38 +0300


Bill Anderson wrote:
> > I've written one already in wxPython, so it runs on Windows, too.  Check out
> > http://www.zope.org/Members/itamar/load_site.  Make sure you follow the
> > instructions on altering Zope or it won't work.  It uses both XML-RPC and
> > ZPublisher.Client for historical reasons, but evnetually it'll use XML-RPC
> > only, since XML-RPC is a lot more powerful.
> 
> But has isssues with ZSQL Methods. :(

That's a Zope security issue, really.  Client would most likely have the
same problem.  But let me explain why I used XML-RPC:  ZPublisher.Client
always returns it's results a string, while XML-RPC pickles Python objects
into XML and then unpickles them back into Python objects.  This means that
if a method returns a list, using Client you'll get "['a', 'b', 'c']", the
string represnetation of the list, while with XML-RPC yopu'll get the actual
list.

Since doing eval() on strings you get from strangers is a Really Big
Security Bug, XML-RPC is the way to go.

-- 
Itamar S.T.  itamar@maxnm.com