[Zope3-dev] Re: Python version for Zope 3.4 ?
Martijn Faassen
faassen at infrae.com
Fri Sep 29 07:12:42 EDT 2006
Dieter Maurer wrote:
> Philipp von Weitershausen wrote at 2006-9-28 11:22 +0200:
>> ...
>>> The last time this was discussed with Jim, the idea was to try to use
>>> Zope 3's security proxy approach in Zope 2 for Python Script security
>>> - Jim and I had some ideas I need to dredge up from the back of my
>>> mind.
>
> I am quite fearful in this regard:
>
> Lots of existing code rely on the fact that trusted code
> can do anything without to worry about security.
>
> As security proxies restrict trusted code, too (though trusted
> code can remove the wrapper), we might get more security
> at the cost of massive backward incompatibility.
>
I fully agree that this is dangerous.
The idea we had is to use security proxies that only exist inside of
untrusted code, but do not leak out into trusted code. Anything that
enters trusted code is wrapped in such security proxies.
Imagine a security proxy that only returns security-proxied objects, but
does not security-proxy objects passed to any of its method parameters.
This, hopefully, will allow the untrusted code to run with the security
machinery without affecting the rest of the codebase.
The devil is in the details though.
Regards,
Martijn
More information about the Zope3-dev
mailing list