[Zope3-dev] datetime module

Thu, 07 Nov 2002 10:29:43 +0000

Marius Gedminas wrote:

> Hi,
>
> I'm trying to use datetime module in a Zope3 project.  There are at least
> two problems with that module:
>
> - date/time objects cannot be pickled, betcause datetime.basetime
>   defines an empty __slots__ but doesn't define __getstate__.  For all
>   __slots__ using objects Python provides a default 'bozo' __getstate__
>   which throws a TypeError ("a class that defines __slots__ without
>   defining __getstate__ cannot be pickled").

I wonder if the pickling machinery should do something special with 
classes that define __slots__ = [] ? This seems like a worthy 
special-case to me.

> - date/time objects are inaccessible from untrusted code (e.g. you
>   cannot do a somedateobject.isoformat() from a page template).  Should
>   there be appropriate security declarations somewhere in the
>   configure.zcml forest, or should these date/time objects be kept
>   unwrapped like objects of Python builtin types?

In Python2.3, datetime is a builtin.
In Python2.2 with Zope3, datetime is in the same place (lib/python), and 
so is a "given".

So, I think its security declarations belong in Checker.py, along with 
the declarations for other builtins such as dicts, tuples, lists and 
strings.

A datetime is not immutable (like a string or a tuple), even though it 
is intended to be used immutably. So, it cannot be a "rock", and it does 
need security assertions.

--
Steve Alexander