[Zope3-dev] Nasty bugs
Shane Hathaway
shane@zope.com
Wed, 20 Mar 2002 11:28:14 -0500
R. David Murray wrote:
> On Wed, 20 Mar 2002, Shane Hathaway wrote:
>
>>Here's a thought. We need primitives that are mutable to sometimes be
>>wrapped, for example to prevent a list, returned from a function unaware
>>of security, from being mutated by untrusted code. But "None", numbers,
>>and strings probably shouldn't ever be wrapped. As for tuples, it's
>>hard to say.
>>
>
> But doesn't security also apply to *viewing* data? As Steve pointed
> out, we can have (and do have) some highly structured "primitive"
> data being passed around, and I can easily see wanting to apply
> "read" security to such data. On the other hand, I may be missing
> something obvious because I don't fully understand the security
> model yet.
Right. Attribute access has to be restricted based on the security
policy. But once you have the value of an attribute and it's a number,
string, or None, there is no reason to wrap that value. I don't think
we need a security policy so fine grained that it can decide what parts
of a string untrusted code is allowed to look at, or whether you're
allowed to determine the fractional component of a float. ;-)
Shane