[Zope] Re: PythonMethods and import

[Robin Becker]

In article <37DAE0BA.3AFC13B@4-am.com>, Evan Simpson <evan@4-am.com>
writes
>Bill Anderson wrote:
>
>> Evan Simpson wrote:
>> >
>> > ----- Original Message -----
>> > From: Jay, Dylan <djay@lucent.com>
>> > > Python methods look really nice however why remove the use of import. I
>> > > guess this is a security hazard and allows access to the filesystem but it
>> > > also allows the use of many very usefull packages that to use mean the
>> > > messyness of creating external methods.
>> >
>> > Funny you should mention that! <wink>.  I have a version for my personal use
>> > with unlimited import enabled for just this reason.
>>
>> Any way one could get a copy of that verson to play with ? :-)
>
>You want scarywildunchained PythonMethods?  Sign this waiver, please.  It says
>that if you use what I'm about to tell you on your site, you agree that I can't
>be held responsible for anything that may occur, up to and including Weird Al
>Yankovic stuffing your server with gerbils and making you program in Intercal on
>a Commodore PET.  Thank you.
>
>Download the latest (0.1.1 as of this writing) PythonMethods, install it, and
>append the following lines to Guarded.py:
>
>if "you want completely unsecure, dangerous PMs" and "a classname that lies":
>    from zbytecodehacks.VSExec import CodeBlock, Printing
>    class GuardedBlock(CodeBlock):
>        Mungers = [Printing]
>
>then find the one-and-only call to UntupleFunction in PythonMethod.py, and
>replace "safefuncs.__class__.__dict__" with "__builtins__".
>
>Restart Zope and watch the sparks fly.
>
...
Couldn't this and similar things be done as a property setting on the
method. The you could have a proxy security to allow various degrees of
un-safeness rather than just hack the code for all people. So really
safe people could open files on the server etc others could do regexps
etc etc.
-- 
Robin Becker