[Zope-dev] Re: RestrtrictedPython vs zope.security.untrustedpython
Chris Withers
chris at simplistix.co.uk
Tue Nov 20 05:21:03 EST 2007
Philipp von Weitershausen wrote:
>> Indeed, but how do you prevent importing and insecure builtins like
>> "open" without RestrictedPython?
>
> Well, they can only use the builtins you give them, right?
Hmm, not sure what you mean by this? How do you choose what builtins to
give them?
> And the
> 'import' statement can be influenced with import hooks, AFAIK.
ut surely your untrusted python script could then just go and undo those
same hooks?
> I don't
> knwo this for sure, though, so maybe you do need RestrictedPython after
> all.
I have a feeling I do, but I'd like to check ;-)
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope-Dev
mailing list