[Zope-dev] Re: Announce: FSPerlScript

Tres Seaver tseaver at zope.com
Mon Nov 1 10:26:56 EST 2004


Alan Milligan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> This patch is against CMF-1.4.7, although one could equally argue it
> better suited elsewhere - there appear to me to be minor uncomfortable
> dependencies regardless of where it sits (unless it's made an
> independent product - which seems a little unwarranted given it's
> simplicity).

Dependency management is one of the main reasons for splitting packages. 
   I note that the dependency is on Products.PerlMethod:  is that 
product suitable for inclusion in the Zope core?  And where does it live 
now?

> This patch includes the following:
> ~   FSPerlScript.py
> ~   images/fspl.gif    (needs an artiste to draw a padlock!)
> ~   tests/test_FSPerlScript.py
> ~   tests/fake_skins/fake_skin/test1.pl
> ~   tests/fake_skins/fake_skin/test2.pl
> ~   __init__.py  (FSPerlScript registration)
> 
> Unfortunately, FSPerlScript is not quite as useful as I'd anticipated,
> given that the 'use' statement is a restricted opcode.
 >
> I am more than willing to discuss with any interested party(s) how we
> may implement a security mechanism whereby we can specify 'safe' Perl
> modules, much as we do with the Python modules_allow stuff.

There is a lot of infrastructure to support "safe imports" from Python 
modules;  I imagine some of it would be at least reusable as a source of 
patterns:

   - $ZOPE_HOME/lib/python/AccessControl/ZopeGuards.py has a
     'guarded_import' function, which gets injected into the
     'safe_builtins' mapping as '__import__'.

   - It depends on assertions registered in the ModuleSecurityInfo
     helper in $ZOPE_HOME/lib/python/AccessControl/SecurityInfo.py.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com



More information about the Zope-Dev mailing list