[Zope-dev] RFC: Possible change to PythonMethod restrictions

Kevin Dangoor kid@kendermedia.com
Thu, 6 Jan 2000 14:39:09 -0500


Hi,

    I'm not the right person to speak about the security aspects of this,
but as a PythonMethod user, I will definitely say that this would be
helpful. There are so many uses for lists and dictionaries that it is
painful to not have them. So, if you can do this securely, please do!

    It sounds like you're comfortable with the security aspects of this
change. Are there any other tradeoffs to be aware of (performance penalties,
etc)?

Kevin

----- Original Message -----
From: "Evan Simpson" <evan@4-am.com>
To: <zope-dev@zope.org>
Sent: Thursday, January 06, 2000 12:24 AM
Subject: [Zope-dev] RFC: Possible change to PythonMethod restrictions


> A minor annoying side-effect of the safety restrictions on PMs is that
> you can't manipulate local data structures directly.  For example, if
> you create a dictionary or list to hold some objects, you can't scan
> through and delete items from it.  You have to build a new list or dict
> instead.
>
> I think it should be possible to safely allow some normally illegal
> operations as long as Zope can verify that you created the target
> object.  When a PythonMethod compiles its code, the following steps
> would take place:

[snippage]