[Zope] re module & through the web security
Chris McDonough
chrism@digicool.com
Wed, 6 Sep 2000 10:05:14 -0400 (EDT)
On Wed, 6 Sep 2000, Chris Withers wrote:
> Chris McDonough wrote:
> > There's the perception at DC that
> > 're' isn't appropriate for through-the-web usage because it's possible to
> > write and use regex that sends the Python interpreter thread it's
> > operating within into a neverending loop. Sorry.
>
> Am I the only one who thinks this is silly?
Probably not.
>
> One of Zope's key strengths is its granular security, right?
> So why isn't it the reponsibility of the site
> designer/maintainer/owner/whatever to ensure that only people he trusts
> have the ability to write DTML?
It is.
>
> It seems like that perception is hobbling Python Methods, in particular,
> by removing useful stuff like the re module because the assumption is
> being made that people editing TTW code will be untrusted.
TTW people are implicitly untrusted. This is core to the security model.
>
> IMH(umble), either you don't have confidence in Zope's security, or
> you're assuming your users are stupid (that may be fair for a lot of us,
> but still ;-)
I dont think either statement is true. It is because there are
restrictions that Zope TTW scripting is "safe." It's
designed to be more safe than expressive.
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org