[Zope-dev] Allowing secure 'import' access in zope folder hosting

[Shane Hathaway]

Ivo van der Wijk wrote:
> I tried to ask this on the standard zope list, but noone seemed to know
> anything about it. Perhaps you do?
> 
> We provide zope hosting, both folder based (where people have access
> to their own folder, mapped to a domain, and no access to the zope
> server / source / var / import / lib directories) and pure zope hosting
> (i.e. an entire own zope server for this customer)
> 
> In the folder case, one of our customers whishes to upload his locally
> developped site as .zexp to our zope server and import it there.
>
> Can this be done safely? I.e. withouth compromising the other customers
> security?

No.  It's not just difficult, but with zexp it's not possible.

> 
> >From some discussions where had on #zope I understand that expecialy
> proxy roles may be a problem which may be fixed by requiring the user
> to take ownership.
> 
> Would this fix all security issues? Or are there any other unforseen problems?
> 
> Would anyone know another solution to achieve the same functionality?
> (ftp won't work, as you can't, for example, upload userfolders)
> 
> Would it be possible to perform a scan on an xml exports for unwanted
> proxy roles and other security issues?

There are infinite ways to plant a security hole in a .zexp.

What you're really looking for is a different kind of import/export
format.  This is actually a great opportunity for a new product:
something that can import and export only specific kinds of objects and
can strip security-related attributes.  It could be web-enabled rather
than requiring filesystem access.

I guess the question is then "how badly do you want it"?  :-)

Shane