In article <37DAE0BA.3AFC13B@4-am.com>, Evan Simpson <evan@4-am.com> writes
Bill Anderson wrote:
Evan Simpson wrote:
----- Original Message ----- From: Jay, Dylan <djay@lucent.com>
Python methods look really nice however why remove the use of import. I guess this is a security hazard and allows access to the filesystem but it also allows the use of many very usefull packages that to use mean the messyness of creating external methods.
Funny you should mention that! <wink>. I have a version for my personal use with unlimited import enabled for just this reason.
Any way one could get a copy of that verson to play with ? :-)
You want scarywildunchained PythonMethods? Sign this waiver, please. It says that if you use what I'm about to tell you on your site, you agree that I can't be held responsible for anything that may occur, up to and including Weird Al Yankovic stuffing your server with gerbils and making you program in Intercal on a Commodore PET. Thank you.
Download the latest (0.1.1 as of this writing) PythonMethods, install it, and append the following lines to Guarded.py:
if "you want completely unsecure, dangerous PMs" and "a classname that lies": from zbytecodehacks.VSExec import CodeBlock, Printing class GuardedBlock(CodeBlock): Mungers = [Printing]
then find the one-and-only call to UntupleFunction in PythonMethod.py, and replace "safefuncs.__class__.__dict__" with "__builtins__".
Restart Zope and watch the sparks fly.
... Couldn't this and similar things be done as a property setting on the method. The you could have a proxy security to allow various degrees of un-safeness rather than just hack the code for all people. So really safe people could open files on the server etc others could do regexps etc etc. -- Robin Becker