[Zope] DTML, Zope and Regex
Chris McDonough
chrism@zope.com
Wed, 10 Jul 2002 10:11:43 -0400
> Thanks for clarifying. I know it's not gone, and I've seen several
threads
> debating that. Just wonder if someone could expand how enabling
regexes can be
> unsafe for python scripts on Zope as Ben was suggesting. I feel
regexes ARE an
> incredibly useful tool, and wish they were available for DTML and
python
> scripts by default.
Actually, I don't think that it's as much that they're unsafe
(although apparently you can create a regex that will infinitely
recurse at least until you run out of stack space), but that the re
module is a C module and returns types that are C-defined and can't
be protected with normal security declarations. Nobody has bothered
to wrap it this in something that is usable in through the web code.
(It would be a nice Product for someone to write).
> I feel doing it via an external method complicates things
unnecessarily IMHO (I
> am a Zope newbie, so don't know the reasoning behind this, but if
PHP, for
> example, allows its use and makes developers life easier, I don't
see why Zope
> restricts it).
PHP has no notion of untrusted code. It isn't possible (as far as I
know) to safely delegate the writing of PHP code "through the web",
where you have assurances that the people writing the code can't
bollix up your world too much. In Zope, it's not only possible,
it's the default (although it of course can be changed).
- C