zoppi at cli.di.unipi.it
Thu Apr 11 18:27:44 EST 2002
On Wed, 10 Apr 2002, Gregory (Grisha) Trubetskoy wrote: > > After a little bit of thinking, this looks like essentially a bug - the > Publisher (unlike the native mod_python handler) should not allow access > to files that are not in the directory which is being requested. > > Another way to tackle it is require something like a __publish__ variable > to be defined inside the module, but I think that would be overkill. > > This is obviously a serious security issue, so I will have to rush a > release out the door to fix it. You can allow people to list security policies. For example: - these modules are safe, and can be used, ala default deny stance. This however doesn't solve the issue, but allow to restrict potential problems.