[Zope3-dev] zope.security.untrustedpython compiler
Phillip J. Eby
pje at telecommunity.com
Mon Mar 14 13:58:08 EST 2005
At 01:45 PM 3/14/05 -0500, Phillip J. Eby wrote:
>Is there any reason the untrustedpython compiler turns '.' operators into
>'getattr()' calls? Or is it just a holdover from Zope 2 RestrictedPython?
Never mind; I just read untrustedinterpreter.txt, which answers this
question nicely. It's to avoid allowing attribute accesses on "basic" or
"safe" objects to get an indirect escape route from the secured environment.
More information about the Zope3-dev
mailing list