[Zope-dev] PythonScripts

Fri, 29 Dec 2000 13:23:18 +0100

I looked at ZopeCVS's PythonScripts.
I mostly like it -- with the following exceptions:

 * Namespace binding

   It does not yet work, apparently:

     In DTML, I have:

       <dtml-call "REQUEST.set('a','a')">
       <dtml-var pyscript>

     in PythonScript "pyscript":

       return _['a']

     and I get: "KeyError: a"

 * Try it

   It is very nice, that such a "try it" exists!

   However, as I am in Python, I would like to use
   Python expressions as argument values.
   Currently, the values are treated as strings.

   Default argument values are displayed as part of the
   argument name. If the values in the "try it" tab
   were Python expressions, the default values should be
   used to preset the value fields.

 * Preventing creation of large sequences

   Apparently, you try hard to prevent the creation of large
   sequences. For a malicious user, it is however quite
   easy to counter you measures: either with a "while" loop
   or with a nested sequence repetition.

   To make it safe, you would probably need to limit
   the total complexity of all objects (together) that
   are created in the script (or other scripts called by
   this one).

   Alternatively, you could document that various
   security issues remain, if PythonScripts are made
   editable through the web.

 * Import control

   I know that I can control what modules (and names) can be imported
   in PythonScripts by providing an

	__access_to_unprotected_subobjects__

   definition *in the* module.

   However, this is a global control affecting all PythonScripts
   in an installation. I see the demand for more
   localized control, e.g. that a script not editable through
   the web should import modules that are not safe for
   use by anonymous users.

Dieter