It works. I'm really tired. For more, see http://zope.org:18200/Members/4am/PythonMethod
In article <37D4B328.DCAFB498@4-am.com>, Evan Simpson <evan@4-am.com> writes
It works. I'm really tired. For more, see http://zope.org:18200/Members/4am/PythonMethod
OK I've installed this and have got a minor nit. If I define this as an external method in /test def hello_world(name='nobody'): return "Hello, " + name + "!" then /test/hello_world/name=Robin gives back Hello, Robin! however if I define as a python method I get back Hello, nobody! for the python method my argument list looks like name='nobody' and the body looks like return "Hello, " + name + "!" the python method works as expected from DTML. -- Robin Becker
Robin Becker wrote:
then /test/hello_world/name=Robin gives back Hello, nobody!
the python method works as expected from DTML.
Yep, calling directly from other objects works fine, but direct traversal passes no arguments to the method. That's on the plate for 0.0.2.
Evan Simpson wrote:
It works. I'm really tired. For more, see http://zope.org:18200/Members/4am/PythonMethod
Great! It seems to work for '+', but I can't get it to multiply. I tried multiplying a string with a number, or two numbers, but it just tells me 'ha!'. :) Regards, Martijn
Martijn Faassen wrote:
Great! It seems to work for '+', but I can't get it to multiply. I tried multiplying a string with a number, or two numbers, but it just tells me 'ha!'. :)
Ah, yes %^). It was very early when I packaged it up, and I forgot to strip out the test code that I was using to verify operator restrictions. Next version or so, it'll do the standard Zope test for over-large sequence multiplication and leave numbers alone. Just in case anyone misses the significance of the 0.0.1 version number, BTW, this is *not* production code. It shouldn't crash your server, but that's all I would bet on. For all I know it's got little gremlins living in it which will come out at night and eat your toes. Since it's meant for people who know Python already anyway, I'm hoping for feedback on the actual code, which is why it's out there at all. Have fun!
Evan Simpson wrote:
Martijn Faassen wrote:
Great! It seems to work for '+', but I can't get it to multiply. I tried multiplying a string with a number, or two numbers, but it just tells me 'ha!'. :)
Ah, yes %^). It was very early when I packaged it up, and I forgot to strip out the test code that I was using to verify operator restrictions. Next version or so, it'll do the standard Zope test for over-large sequence multiplication and leave numbers alone.
Does it do any kind of cut-off after too many bytecodes are executed already? I wasn't able to find a reference to this in the docs so I assume not. It'd be very neat if it did that, though. :)
Just in case anyone misses the significance of the 0.0.1 version number, BTW, this is *not* production code. It shouldn't crash your server, but that's all I would bet on. For all I know it's got little gremlins living in it which will come out at night and eat your toes. Since it's meant for people who know Python already anyway, I'm hoping for feedback on the actual code, which is why it's out there at all.
I know, I know. :) I was just toying around with it -- I'll investigate the source later. I can't wait for a fully functional PythonMethod though; it'd be so much easier to do advanced stuff then inside the Zope environment! Regards, Martijn
Martijn Faassen wrote:
Does it do any kind of cut-off after too many bytecodes are executed already? I wasn't able to find a reference to this in the docs so I assume not. It'd be very neat if it did that, though. :)
It sure would be. Sadly, while I've been told that this might be possible in a generic fashion, the only way I *know* how to do it is to insert a lot of test code near jumps. Implementing that is way down my list.
On Tue, 7 Sep 1999, Evan Simpson wrote:
Martijn Faassen wrote:
Does it do any kind of cut-off after too many bytecodes are executed already? I wasn't able to find a reference to this in the docs so I assume not. It'd be very neat if it did that, though. :)
It sure would be. Sadly, while I've been told that this might be possible in a generic fashion, the only way I *know* how to do it is to insert a lot of test code near jumps. Implementing that is way down my list. Well, actually, one could count not bytecodes but iterations. The only possible culprits are while expr: stmts
and possibly for i in some_weird_dynamic_expression: stmts Now, just insert a local variable, increment it on each loop iteration. Set an unreasonable high limit like 500000 iterations. Now, I know, this is not the same as using deterministic bytecode counters, but it should catch infinite loops, what is basically the idea for Web-entered code. Additionally, you should consider making a copy of builtins, and use it instead of the orginal, so the python method is executed in Safe mode. While this might force hardcore Python hackers to use external methods, it would magically close all loopholes like accessing __dict__, code block attributes, etc. Andreas -- Andreas Kostyrka | andreas@mtg.co.at phone: +43/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
Andreas Kostyrka wrote:
Now, just insert a local variable, increment it on each loop iteration. Set an unreasonable high limit like 500000 iterations.
That's what I meant by inserting test code near jumps, actually :) This is such a low priority for me because of the number of deliberate denial of service attacks I know of which this would not solve. I may still implement it as a safety net for mistakes, rather than attacks.
Additionally, you should consider making a copy of builtins, and use it instead of the orginal, so the python method is executed in Safe mode. While this might force hardcore Python hackers to use external methods, it would magically close all loopholes like accessing __dict__, code block attributes, etc.
Already done. Right now __builtins__ is empty, but I'll probably just swipe the same set DTML objects use. I also plan to pervert 'import' to access the ZODB hierarchy instead of the filesystem.
Evan Simpson wrote:
Andreas Kostyrka wrote:
Now, just insert a local variable, increment it on each loop iteration. Set an unreasonable high limit like 500000 iterations.
That's what I meant by inserting test code near jumps, actually :) This is such a low priority for me because of the number of deliberate denial of service attacks I know of which this would not solve. I may still implement it as a safety net for mistakes, rather than attacks.
I don't think this is the right track though; it's hellishly complicated, you leave holes open, etc. While modifying the Python interpreter source is evil too, at least it's clean once you're past that. Apparently it can be done in an extension module too.. (as Microthreads does) Regards, Martijn
On Tue, 7 Sep 1999, Evan Simpson wrote:
Andreas Kostyrka wrote:
Now, just insert a local variable, increment it on each loop iteration. Set an unreasonable high limit like 500000 iterations.
That's what I meant by inserting test code near jumps, actually :) This is such a low priority for me because of the number of deliberate denial of service attacks I know of which this would not solve. I may still implement it as a safety net for mistakes, rather than attacks. Which problems? Curious what I cann't think of at the moment. (I'm currently at the Linux Kongress in Germany, so my Emails are short. ;) )
Andreas -- Andreas Kostyrka | andreas@mtg.co.at phone: +43/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
Evan Simpson wrote:
Martijn Faassen wrote:
Does it do any kind of cut-off after too many bytecodes are executed already? I wasn't able to find a reference to this in the docs so I assume not. It'd be very neat if it did that, though. :)
It sure would be. Sadly, while I've been told that this might be possible in a generic fashion, the only way I *know* how to do it is to insert a lot of test code near jumps. Implementing that is way down my list.
Do take a look at Will Wares' microthreads. It's a hack, but it's transparent. It lets you import a module that contains a modified Python interpreter that can do this. Regards, Martijn
participants (4)
-
Andreas Kostyrka -
Evan Simpson -
Martijn Faassen -
Robin Becker