[Zope-Perl] security

Chris McDonough chrism@digicool.com
Wed, 24 Jan 2001 15:14:11 -0500 

> > .. but I can't setattr on the perlref instance, so this doesn't work.
>
> The issue should be the same if you return a plain Python dict object,
> or am I missing something.

I believe the security machinery currently gathers __roles__ from things
that are of Python type InstanceType (of which perlref is one).  If they are
of that type, and they don't have a __roles__ attr (and if they their
attribute "__allow_access_to_unprotected_subobjects__" doesn't evaluate to
true), __roles__ is assumed to be the empty list (which means nobody can
access it).  If they are of another type, they're assumed to be a builtin
(like a list or dict), and we try to get __roles__ from their container
(which is what we should do in the case that they're perlref).

I'll doublecheck this.

Y'know, now that I'm thinking of it, it may be enough to set the class attr
on perlref objects "__allow_access_to_unprotected_subobjects__ = 1", as
they're dynamically constructed and we never want to apply any security
constraints on them anyway (just their Zope PM containers).

>
> > Without jiggering of the security machinery or a way to set __roles__ on
> > perlref instances, doing (for example) in DTML:
> >
> > <dtml-in>
> >   <dtml-with "perlmwhichreturnshashref()">
> >      <dtml-in keys>
> >         <dtml-var sequence-item>
> >      </dtml-in>
> >   </dtml-with>
> > </dtml-in>
> >
> > ... doesn't work (the Zope security policy raises unauthorized at the
point
> > in which you attempt to access keys).
> >
> > I *think* this can be solved in a couple of ways (each radically
different):
> >
> > - Do type conversion on hashrefs and arrayrefs to Python native
datatypes
> > (dict, list) in a return to Python if the hash or array keys/values are
all
> > string or number types.  This is potentially very expensive, and a
little
> > DWIMish.
>
> You should really be able to force this yourself with a Script(Perl)
> thing that does:
>
>     my %hash = ( a => 42 );
>     return Python::dict(%hash);

OK.  With your latest patch, I should be able to do this from restricted
PMs.

> > - Allow perlref instances in Python to have a __dict__ and let us assign
to
> > it from unrestricted code (so we can give it a __roles__).
>
> I don't think this is the right thing to do.  How are we supposed to
> keep the dict around if we pass this object though perl?  When it is
> passed to perl the 'perl ref' is unwrapped and the dict is gone.  When
> the hash reference is then passed back to python a new dict is set up
> for it?  Does not sound clean to me.

I hadn't thought about the case where you pass it between Python and Perl
multiple times in the same method.  :-(  You're right.

> > - Jigger the security machinery to do more DWIM.
>
> I don't know much about that.

Nobody does.  :-)

Thanks!

- C