[Zope-Perl] Script (Perl) question

[Gisle Aas]

"Chris McDonough" <chrism@digicool.com> writes:

> I think you can expose Python::getattr in restricted PerlMs by editing
> lib/perl/Zope.pm, much like Gisle's patch yesterday, e.g.:
> 
>     *{"$root\::AUTOLOAD"} = *AUTOLOAD;
>     # make python constructors available
>     *{"$root\::Python::int"}     = \&Python::int;
>     *{"$root\::Python::long"}    = \&Python::long;
>     *{"$root\::Python::float"}   = \&Python::float;
>     *{"$root\::Python::complex"} = \&Python::complex;
>     *{"$root\::Python::list"}    = \&Python::list;
>     *{"$root\::Python::tuple"}   = \&Python::tuple;
>     *{"$root\::Python::dict"}    = \&Python::dict;
>     *{"$root\::Python::getattr"}    = \&Python::getattr;
>     *{"$root\::Python::setattr"}    = \&Python::setattr;
> 
>     # This hack make sure Python::Object objects in the compartment will
>     # not get confused about their names.
>     require Hack::Names;
> 
> Then in the PerlM:
> 
> my @names;
> my $cpl = Python::getattr($self, 'Control_Panel');
> return Python::list($cpl->objectIds);
> 
> I have a feeling allowing access to setattr and getattr from Perl is a
> *real* bad idea in restricted PerlMs, because I imagine that no security
> checks are done in the process of setting/getting attrs.  I will check.

This is true.  Enabling them like that is wrong as it provide a way to
avoid security checks.  You need to provide versions of
getattr/settattr that does things similar to what
&compartment_pyobject_AUTOLOAD does.

--Gisle