[ZDP] BackTalk to Document The Zope Book (2.5 Edition)/Appendix B: API Reference

webmaster@zope.org webmaster@zope.org
Mon, 23 Sep 2002 12:14:27 -0400

A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZopeBook/current/AppendixB.stx#2-187


    Python Scripts can contain a "safe" subset of the python language.
    Python Scripts must be safe because they can be potentially edited by
    many different users through an insecure medium like the web.  The
    following safety issues drive the need for secure Python Scripts:

      o Because many users can use Zope, a Python Script must make sure it
        does not allow a user to do something they are not allowed to do,
        like deleting an object they do not have permission to delete.
        Because of this requirement, Python Scripts do many security checks
        in the course of their execution.

      o Because Python Scripts can be edited through the insecure medium of
        the web, they are not allowed access to the Zope server's
        file-system.  Normal Python builtins like 'open' are, therefore,
        not allowed.

      o Because many standard Python modules break the above two security
        restrictions, only a small subset of Python modules may be imported
        into a Python Scripts with the "import" statement unless they have
        been validated by Zope's security policy.  Currently, the following
        standard python modules have been validated:

          o string

          o math

          o whrandom and random

          o Products.PythonScripts.standard

      o Because it allows you to execute arbitrary python code, the python
        "exec" statement is not allowed in Python methods.

      o Because they may represent or cause security violations, some
        Python builtin functions are not allowed.  The following
        Python builtins are not allowed:

          o open

          o input

          o raw_input

          o eval

          o execfile

          o compile

          o type

          o coerce

          o intern

          o dir

          o globals

          o locals

          o vars

          o buffer

          o reduce

      o Other builtins are restricted in nature.  The following builtins
        are restricted:

          range -- Due to possible memory denial of service attacks, the
          range builtin is restricted to creating ranges less than 10,000
          elements long.

          filter, map, tuple, list -- For the same reason, builtins
          that construct lists from sequences do not operate on strings.

          getattr, setattr, delattr -- Because these may enable Python
          code to circumvent Zope's security system, they are replaced with
          custom, security constrained versions.

      o In order to be consistent with the Python expressions
        available to DTML, the builtin functions are augmented with a
        small number of functions and a class:

          o test

          o namespace

          o render

          o same_type

          o DateTime

      o Because the "print" statement cannot operate normally in Zope,
        its effect has been changed.  Rather than sending text to
        stdout, "print" appends to an internal variable.  The special
        builtin name "printed" evaluates to the concatenation of all
        text printed so far during the current execution of the

      % Anonymous User - Sep. 23, 2002 12:14 pm:
       What about the python function "id"? It seems to be restricted to.