[Zope-dev] Re: Announce: FSPerlScript
Tres Seaver
tseaver at zope.com
Mon Nov 1 10:26:56 EST 2004
Alan Milligan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> This patch is against CMF-1.4.7, although one could equally argue it
> better suited elsewhere - there appear to me to be minor uncomfortable
> dependencies regardless of where it sits (unless it's made an
> independent product - which seems a little unwarranted given it's
> simplicity).
Dependency management is one of the main reasons for splitting packages.
I note that the dependency is on Products.PerlMethod: is that
product suitable for inclusion in the Zope core? And where does it live
now?
> This patch includes the following:
> ~ FSPerlScript.py
> ~ images/fspl.gif (needs an artiste to draw a padlock!)
> ~ tests/test_FSPerlScript.py
> ~ tests/fake_skins/fake_skin/test1.pl
> ~ tests/fake_skins/fake_skin/test2.pl
> ~ __init__.py (FSPerlScript registration)
>
> Unfortunately, FSPerlScript is not quite as useful as I'd anticipated,
> given that the 'use' statement is a restricted opcode.
>
> I am more than willing to discuss with any interested party(s) how we
> may implement a security mechanism whereby we can specify 'safe' Perl
> modules, much as we do with the Python modules_allow stuff.
There is a lot of infrastructure to support "safe imports" from Python
modules; I imagine some of it would be at least reusable as a source of
patterns:
- $ZOPE_HOME/lib/python/AccessControl/ZopeGuards.py has a
'guarded_import' function, which gets injected into the
'safe_builtins' mapping as '__import__'.
- It depends on assertions registered in the ModuleSecurityInfo
helper in $ZOPE_HOME/lib/python/AccessControl/SecurityInfo.py.
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-Dev
mailing list