[Zope-dev] RFC: Possible change to PythonMethod restrictions

[Evan Simpson]

I've been thinking about submitting some changes to PythonMethods, but
now that they're going to be part of Zope, I thought I should put the
idea out for discussion first.

A minor annoying side-effect of the safety restrictions on PMs is that
you can't manipulate local data structures directly.  For example, if
you create a dictionary or list to hold some objects, you can't scan
through and delete items from it.  You have to build a new list or dict
instead.

I think it should be possible to safely allow some normally illegal
operations as long as Zope can verify that you created the target
object.  When a PythonMethod compiles its code, the following steps
would take place:

1.  A dict flagging local names as 'safe' or 'unsafe' (0 or 1) is
created, defaulting to 'safe' for all.
2.  When a local variable is set to a list or dict literal (BUILD_LIST
or BUILD_MAP sequence followed by STORE_FAST) the variable name is left
alone.
3.  When a local variable is set to anything else the name is flagged
'unsafe'.
4.  Index and slice assignment and deletion are allowed on a bare name
if the name is still flagged 'safe' at the end.

This isn't by any means smart enough to allow all 'safe' cases to be
allowed, but it will never let you perform an 'unsafe' operation.  It
provides just enough leeway for you to create local lists and dicts and
do whatever you want to them, so long as you keep them in a local
variable.

The allowed operations in (4) are, more formally, STORE_SUBSCR,
DELETE_SUBSCR, STORE_SLICE*, and DELETE_SLICE* where the first operand
is the result of a LOAD_FAST of a 'safe' name.

Thoughts?

Evan @ 4-am