[Zope] Regular expressions insecurity?

Paul Winkler pw_lists@slinkp.com
Tue, 21 Jan 2003 13:05:51 -0800


On Tue, Jan 21, 2003 at 09:54:59PM +0100, Tue Wennerberg wrote:
> >2) The python regex package is in C and no one has written the security
> >wrapping code that Zope requires. I'm fuzzy on the details but this answer
> >makes a lot more sense.
> 
> Well yes, if regular expressions were a security risk. This seems to be 
> the general notion, but can anyone actually give an example?

No, that's not the point of 2) above.

The point is that *any* module you import in zope ttw code must
have certain security assertions, or you'll be denied access
when you try to run the script.  Allowing re to be imported
would require writing a python wrapper to the re module (which is
in C), and adding these security assertions to the wrapper.
Nobody has taken the time to do this and post it publically.

It doesn't matter if the module is deemed a security risk
or not. No security assertions?  Import is not allowed
except in External Methods and filesystem Products. No exceptions.

-- 

Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's PYSCHOMETRIC JUDO SKORPION!
(courtesy of isometric.spaceninja.com)