[Zope-Perl] security

[Gisle Aas]

Gisle Aas <gisle@ActiveState.com> writes:

> You should really be able to force this yourself with a Script(Perl)
> thing that does:
> 
>     my %hash = ( a => 42 );
>     return Python::dict(%hash);
> 
> But I don't really see how that helps, as you can't set the __roles__
> attribute on dicts either.  Currently this does not work because the
> Python:: namespace is not really set up for safe compartments, but
> that should not be hard to fix.  Setting up all the Python constructor
> functions is probably needed if you want to reliably determine what
> type a PerlMethod returns (int vs. float vs. strings).

This is a patch that should make the code above work:

Change 14071 by gisle@caliper on 2001/01/24 11:33:19

        Make the Python::* constructor functions available in the compartment
        of Script(Python).

Affected files ...

... //depot/main/Apps/Bifrost/zoperl/lib/perl/Zope.pm#7 edit

Differences ...

==== //depot/main/Apps/Bifrost/zoperl/lib/perl/Zope.pm#7 (text) ====

@@ -155,6 +155,15 @@
     *{"$root\::Python::Object::AUTOLOAD"} = \&compartment_pyobject_AUTOLOAD;
     *{"$root\::AUTOLOAD"} = *AUTOLOAD;
 
+    # make python constructors available
+    *{"$root\::Python::int"}     = \&Python::int;
+    *{"$root\::Python::long"}    = \&Python::long;
+    *{"$root\::Python::float"}   = \&Python::float;
+    *{"$root\::Python::complex"} = \&Python::complex;
+    *{"$root\::Python::list"}    = \&Python::list;
+    *{"$root\::Python::tuple"}   = \&Python::tuple;
+    *{"$root\::Python::dict"}    = \&Python::dict;
+
     # This hack make sure Python::Object objects in the compartment will
     # not get confused about their names.
     require Hack::Names;