[Zope] Re Re: Regular expressions insecurity?

[Dieter Maurer]

Tue Wennerberg wrote at 2003-1-20 22:40 +0100:
 > Dieter Maurer wrote:
 > > I think 1 generic External Methods will do it:
 > > 
 > >       External Method that has input parameters like "re.compile"
 > >       and returns a wrapper for the compiled regular expression.
 > > 
 > >       The wrapper can provide the methods of compiled regular
 > >       expressions, again wrapping the results if necessary (such
 > >       as for match objects).
 > > 
 > > Are you a volunteer?
 > 
 > Sure, but why is this a better solution than to allow 're' module by 
 > default? I'm not trying to be clever, I'm simply asking because I don't 
 > know :-)
It is not that trivial.

   The "re" engine creates type instances ("compiled regular expression";
   "match"). In order to use them, they must get security declarations.
   However, they are not prepared for the corresponding assignments.

   Therefore, wrapper classes are necessary. They provide
   the security declarations and delegate method calls to the
   wrapped instances.
   

Dieter