[Zope] Import from file via management-interface

Martijn Pieters mj@digicool.com
Sat, 9 Sep 2000 18:16:45 +0200

On Sat, Sep 09, 2000 at 03:54:25PM +0200, Tino Wildenhain wrote:
> > The problem is not so much ownership of the objects imported, but the type
> > of objects that can be instanciated from a pickle (the export format
> > wether XML or binary, consists of pickled classes).
> > 
> > You can create _everything_ from a pickle, as long as there is a class
> > definition for it; including a monitor client. I can open up a high port
> > on your machine that'll let me connect to your Zope process in a python
> > interpreter prompt. Then your server is my oister.
> Thats badly true, but importing of a whole bunch of objects is also 
> often needed. IIRC does pickle only handle instance data but not
> class code. (although I see using of marshal in the import code
> which does in fact import code as oposite to pickle)
> Importing instance data schould not be a problem since it can only work
> if the user in question has access to the classes. 
> This access is already handled by permissions.

No it isn't. Web access to class instances is handled by permissions.
Unpickling will cause class instantiation in the python process, where you
have no control over what get's created. You can create a custom
unpickling class, but one that would handle the Zope range of objects
would be, in Jim's words "tricky".

> Moreover we could restrict importing via web to the superuser at all.

This would completely defeat your idea that people besides the superuser
should be able to import. Apart from being a security risk.

> > Allowing imports from arbitrary paths will let me exploit security holes
> > in other internet daemons on your machine to create a pickle file for
> > import; preferably the /tmp directory as it is world writeable.
> > Restricting imports to one directory allows you to be much more
> > restrictive as to who can write there.
> > 
> > You can set up restricted FTP access or even only allow scp (ssh encrypted
> > file transfer) for trusted people to upload exports to the Zope import
> > directory if you need to give others import rights.
> Uh, do you know any ssh-daemon for windows? ;-)

Sorry, no, but that's because I never looked. I am sure there are other
secure options for file transfer for Win32 available though.

Martijn Pieters
| Software Engineer            mailto:mj@digicool.com
| Digital Creations          http://www.digicool.com/
| Creators of Zope               http://www.zope.org/
| ZopeStudio: http://www.zope.org/Products/ZopeStudio