[Zope-dev] Trying to design a PythonMethod Product

Evan Simpson evan@4-am.com
Thu, 12 Aug 1999 08:42:11 -0500


Martijn Faassen wrote:

> Evan Simpson wrote:
> [snip intro on PythonMethod]
>
> Sounds great so far. I'd love to take a look at this and try to help you
> out.

Great! I'll try to get some code working soon.

> Recompile/rehack each time the PythonMethod text is edited. This doesn't
> make anything extra difficult, I think? Take a look at XML Document (get
> it from CVS) for an example on how that's done.

Probably will copy whatever DTMLMethods do with Python expressions.

> Huh, why not [allow complex assignment]?  [...] Why disallow 'del'?

At least to start with, I'm planning to emulate the restrictions on data
manipulation that DTMLMethods impose.  Persistent Zope objects certainly are
protected, but any raw lists or dicts being passed around would be changeable in
ways not possible with expressions alone.  Whether this is really a problem is
another question.

> Or perhaps instead of doing [loop counting/timeout], it's easier to do
> something like what
> was mentioned on the Python Microthreads discussion on comp.lang.python
> earlier. Basically just restrict the entire PythonMethod thread to a set
> amount of 'ticks'. Once the ticks are up and the Method didn't finish
> properly, throw an exception, or something.

This sounds good, but I haven't a good idea how you would implement it.  As Tim
Peters pointed out in another thread, there's at least one simple way to crash a
Python interpreter to which DTML is vulnerable, and many hard-to-thwart ways to
make simple code run arbitrarily long.  Because of this, I'm not going to worry
too much about protecting against DoS.

[return of collected output should be explicit]

> Or something more complicated. I posted a message with a prototype on
> this type of thing a while back to this list. Just look for the messages
> with my name. :)

I'll look for it, and I agree that this should be explicit.  PythonMethods will
definitely follow standard Zope practice in returned values.

Thanks for the $0.02,
Evan Simpson