[Zope] re module & through the web security

Jens Vagelpohl jens@turbodiesel.net
Wed, 06 Sep 2000 07:53:54 -0400


i for my part think it makes sense. not just from a security standpoint
(think of those sites that allow members who are not necessarily hand-picked
to write DTML or attempt to do so) but also from a knowledge level
standpoint. who wants their site crashed just because the new programmer
doesn't know how to use that re functionality correctly?

looking back at all the products and projects i have been involved in i did
not have to use the re module a single time.

as you know, you can still use the whole module in zope code that resides on
the filesystem, like in products or in external methods. i'd rather be
inconvenienced once every few months than basically invite denial of service
attacks.

jens



 ----------------------------
 Jens Vagelpohl

 The VW Type 4 on the Web:
 http://www.type4.org
 ----------------------------

on 9/6/00 5:43, Chris Withers at chrisw@nipltd.com wrote:

> Chris McDonough wrote:
>> There's the perception at DC that
>> 're' isn't appropriate for through-the-web usage because it's possible to
>> write and use regex that sends the Python interpreter thread it's
>> operating within into a neverending loop.  Sorry.
> 
> Am I the only one who thinks this is silly?
> 
> One of Zope's key strengths is its granular security, right?
> So why isn't it the reponsibility of the site
> designer/maintainer/owner/whatever to ensure that only people he trusts
> have the ability to write DTML?
> 
> It seems like that perception is hobbling Python Methods, in particular,
> by removing useful stuff like the re module because the assumption is
> being made that people editing TTW code will be untrusted.
> 
> IMH(umble), either you don't have confidence in Zope's security, or
> you're assuming your users are stupid (that may be fair for a lot of us,
> but still ;-)
> 
> Comments? :-)
> 
> Chris