[Zope] More regular expressions security
Dylan Reinhardt
Dylan@DylanReinhardt.com
Sun, 19 Jan 2003 10:42:48 -0800
At 10:17 AM 1/19/2003, Tue Wennerberg wrote:
>So it's a question of trust. But surely a script developer can be trusted
>not to cause a DoS on the site he's working on! Script developers should
>be empowered, not crippled!
Zope empowers the admin to control the environment. If the admin trusts
the developers, that trust can be extended... but it is appropriate that
someone with command-line access should be involved any time a developer
wants to run unrestricted code. I think it's a question of preferring a
configuration that is "more secure" by default and giving admins full power
to loosen restrictions as they see fit.
>And some script developers don't have access to the file system.
That's exactly the point.
>So there it is. I'm writing this because I think that Zope is missing out
>on a great feature, and because I haven't gotten any answers indicating
>that there are other (worse) reasons why regular expressions are banned.
>Am I wrong? Am I being silly here?
It might be fun and/or interesting to make a product that validates and
performs regexes in a trustworthy fashion. I'm not a regex guru, so I'm
not sure exactly what level of validation is involved here. Installing
something like this would still require admin participation, but could hook
into the existing access controls such that use of the product could be
restricted on a per-developer basis.
Just thinkin'...
Dylan