[Zope-Perl] security
Chris McDonough
chrism@digicool.com
Wed, 24 Jan 2001 18:07:21 -0500
Thanks for the info!
> For this reason I would not encourage that we actually return perl
> data in Zope. I might even go as far as adding code to
> PerlMethod.__call__ that simply stringify 'perl ref' objects returned
> from PerlMethods. This was actually what used to happen before
> 'pyperl-beta5'.
Well... I'm not sure that we want to disallow it. We should probably make
it clear in Zope docs that if you do return a ref, that it's a reference to
a data structure shared between Perl and Python, and that it shouldn't be
stored and used across threads. Since in many (most?) cases a ref is not
only local to the Perl subroutine, but is local to the Python scope in which
it's used, it should be gc'ed in the course of a single Zope request (which
almost always takes place within the context of a single Python thread).
For example, what I think is a good example use of this (although it doesn't
work yet :-) is in the unrestricted PerlM "finance", which has the arguments
"exchange" and "symbols", and is called like:
<dtml-let ref="finance('nasdaq', ['MSFT', 'LNUX'])">:
<dtml-in "ref.keys()">
<dtml-var sequence-item>: <dtml-var "ref[_['sequence-item']]">
</dtml-in>
</dtml-let>
Where the body of the finance module is:
package ZopeExt::finance;
use Finance::Quote;
use Python;
sub finance {
my ($exchange, $symbols) = @_;
my @symbols = Python::list($symbols);
my $quoter = Finance::Quote->new;
my %info = $quoter->fetch($exchange, @symbols);
my %retn;
foreach $symbol (@symbols) {
unless ($info{$symbol,"success"}) {
$retn{$symbol} = "unknown";
next;
}
$retn{$symbol} = $info{$symbol, "price"};
}
return \%retn;
}
1;
Does the spirit of this example make sense (other than the Perl seemingly
being wrong right now)? Am I way off base?