-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
This patch is against CMF-1.4.7, although one could equally argue it better suited elsewhere - there appear to me to be minor uncomfortable dependencies regardless of where it sits (unless it's made an independent product - which seems a little unwarranted given it's simplicity).
Dependency management is one of the main reasons for splitting packages. I note that the dependency is on Products.PerlMethod: is that product suitable for inclusion in the Zope core? And where does it live now?
>This patch includes the following: ~ FSPerlScript.py ~ images/fspl.gif (needs an artiste to draw a padlock!) ~ tests/test_FSPerlScript.py ~ tests/fake_skins/fake_skin/test1.pl ~ tests/fake_skins/fake_skin/test2.pl ~ __init__.py (FSPerlScript registration)
Unfortunately, FSPerlScript is not quite as useful as I'd anticipated, given that the 'use' statement is a restricted opcode.
I am more than willing to discuss with any interested party(s) how we may implement a security mechanism whereby we can specify 'safe' Perl modules, much as we do with the Python modules_allow stuff.
There is a lot of infrastructure to support "safe imports" from Python modules; I imagine some of it would be at least reusable as a source of patterns:
- $ZOPE_HOME/lib/python/AccessControl/ZopeGuards.py has a
'guarded_import' function, which gets injected into the
'safe_builtins' mapping as '__import__'. - It depends on assertions registered in the ModuleSecurityInfo
helper in $ZOPE_HOME/lib/python/AccessControl/SecurityInfo.py.Tres. -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
