[Zope] DTML, Zope and Regex
Jorge O. Martinez
jmartinez@eMediaMillWorks.com
Wed, 10 Jul 2002 13:58:39 -0400
Paul Winkler wrote:
> On Wed, Jul 10, 2002 at 03:17:14PM +0100, Ben Avery wrote:
>
>>well, external methods are python scripts with no safety measures at
>>all,
>
>
> For one thing, they live on the filesystem. If somebody has read/write access
> to your filesystem, you have much bigger problems than what th
> can do to your external methods. e.g. rm -f var/Data.fs.
I understand your concern with a situation like the above, but that is not
exactly what I had in mind, I was thinking about matching/replacing strings,
and take actions based on matches, not executing commands at the system level.
Additionally, when I am talking about regex functionality, I think it would
help if it's enabled within the context of Zope (inside Data.fs only) as a
default, and not allowed to interact with outside stuff in the filesystem. Then
people who wanted even more functionality could enable filesystem fuctionality
at their own risk. For enhanced security only members of some group could be
give the right to execute regexe's, or, even better, only certain folders could
be enabled for that. Just some ideas...
>
> For another thing, you can control via zope's security interface who
> has permission to add External Methods. So you can restrict them to
> trusted developers.
>
> At least, I think that's the idea...
>
--
Jorge O. Martinez
MIS Senior Associate
FDCH-eMedia Inc.
2400 Forbes Blvd., Suite 200
Lanham, MD 20706
E-mail => jmartinez@eMediaMillWorks.com
Phone => (301)731-1228 ext. 105
Fax => (301)731-0937