[Zope-Perl] Script (Perl) question
Gisle Aas
gisle@ActiveState.com
25 Jan 2001 12:56:16 -0800
"Chris McDonough" <chrism@digicool.com> writes:
> I think you can expose Python::getattr in restricted PerlMs by editing
> lib/perl/Zope.pm, much like Gisle's patch yesterday, e.g.:
>
> *{"$root\::AUTOLOAD"} = *AUTOLOAD;
> # make python constructors available
> *{"$root\::Python::int"} = \&Python::int;
> *{"$root\::Python::long"} = \&Python::long;
> *{"$root\::Python::float"} = \&Python::float;
> *{"$root\::Python::complex"} = \&Python::complex;
> *{"$root\::Python::list"} = \&Python::list;
> *{"$root\::Python::tuple"} = \&Python::tuple;
> *{"$root\::Python::dict"} = \&Python::dict;
> *{"$root\::Python::getattr"} = \&Python::getattr;
> *{"$root\::Python::setattr"} = \&Python::setattr;
>
> # This hack make sure Python::Object objects in the compartment will
> # not get confused about their names.
> require Hack::Names;
>
> Then in the PerlM:
>
> my @names;
> my $cpl = Python::getattr($self, 'Control_Panel');
> return Python::list($cpl->objectIds);
>
> I have a feeling allowing access to setattr and getattr from Perl is a
> *real* bad idea in restricted PerlMs, because I imagine that no security
> checks are done in the process of setting/getting attrs. I will check.
This is true. Enabling them like that is wrong as it provide a way to
avoid security checks. You need to provide versions of
getattr/settattr that does things similar to what
&compartment_pyobject_AUTOLOAD does.
--Gisle