[Zope] re module & through the web security
Dan L. Pierson
dan@sol.control.com
Wed, 6 Sep 2000 10:13:34 -0400 (EDT)
Chris Withers writes:
> Chris McDonough wrote:
> > There's the perception at DC that
> > 're' isn't appropriate for through-the-web usage because it's possible to
> > write and use regex that sends the Python interpreter thread it's
> > operating within into a neverending loop. Sorry.
[snip]
> It seems like that perception is hobbling Python Methods, in particular,
> by removing useful stuff like the re module because the assumption is
> being made that people editing TTW code will be untrusted.
I think the re module is a good example for arguing that DTML and
Python Methods should have different criteria for deciding what
modules are available (and separate permissions for users, if they
don't already).
Somehow, the idea of mixing regexps and DTML gives me chills, but I
agree that it is a perfectly reasonable tool to want to use in Python Methods.
This relates more the crusade to depricate DTML programming as opposed
to DTML report writing than it does to security concerns.