Re: [Zope-dev] Trying to design a PythonMethod Product
Isn't this the same as External Methods? -josh z
From: "Evan Simpson" <evan@tokenexchange.com> To: <zope-dev@zope.org> Subject: [Zope-dev] Trying to design a PythonMethod Product Date: Wed, 11 Aug 1999 16:34:39 -0500
I'm making a serious run at trying to create a Product which will allow through-the-web creation of methods written in straight Python. Right now what I've get is a pile of brainstorming, and I'd appreciate feedback.
Basically, I plan to take an arbitrary chunk of Python code, wrap it in a function definition, compile it, and then thrash the resulting bytecodes with bytecodehacks (see http://starship.python.net/crew/mwh/bch/index.html). This will serve the dual purposes of enforcing restrictions on what the code can do, and bending the semantics for better Zope integration.
Thoughts so far:
1. Must store a PythonMethod as raw text for editing purposes. Compile/hack on each load, or try to store the compiled function for speed?
2. Allow simple assignment, and no other kind. "x = anything" is legal, but not "x[0] = ...", "x.spam = ...", "x() = ...", etc. Tuple/list unpacking might also be allowed.
3. Disallow "del" and "exec" entirely.
4. Restrict "import" to modules/packages found in a particular location, so that 'safe' modules can be used.
5. Allow "while" and "for". Insert 'escape code' at the bottom of every loop, to allow PythonMethods to 'time out' after some elapsed time or loop count.
6. Allow "print" to be used to generate rendered output by replacing it with a function that accumulates text. If anything other than literal "None" is returned, the collected "print" text is discarded, otherwise it becomes the return value (on "return", "return None", and on implicit return, but not on "x=None; return x", for example).
7. Either disallow "global", or redirect access to globals into a controlled namespace.
8. Provide the Zope standard builtins (and tags?) as builtins.
or-have-I-missed-a-showstopper-ly y'rs Evan Simpson
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://www.zope.org/mailman/listinfo/zope-dev
(To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce
For non-developer, user-level issues, zope@zope.org, http://www.zope.org/mailman/listinfo/zope )
_______________________________________________________________ Get Free Email and Do More On The Web. Visit http://www.msn.com
Josh Zeidner wrote:
Isn't this the same as External Methods?
Nope, although I apologize if I didn't make that clear. PythonMethods are meant to be created and edited through the web-interface, and have the same 'safety level ' as DTML stuff. Code in External Methods can only be manipulated in the local filesystem since they are 'unsafe'.
participants (2)
-
Evan Simpson -
Josh Zeidner