Alan Milligan wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

This patch is against CMF-1.4.7, although one could equally argue it
better suited elsewhere - there appear to me to be minor uncomfortable
dependencies regardless of where it sits (unless it's made an
independent product - which seems a little unwarranted given it's
simplicity).

Dependency management is one of the main reasons for splitting packages. I note that the dependency is on Products.PerlMethod: is that product suitable for inclusion in the Zope core? And where does it live now?


This patch includes the following:
~   FSPerlScript.py
~   images/fspl.gif    (needs an artiste to draw a padlock!)
~   tests/test_FSPerlScript.py
~   tests/fake_skins/fake_skin/test1.pl
~   tests/fake_skins/fake_skin/test2.pl
~   __init__.py  (FSPerlScript registration)

Unfortunately, FSPerlScript is not quite as useful as I'd anticipated,
given that the 'use' statement is a restricted opcode.
>
I am more than willing to discuss with any interested party(s) how we
may implement a security mechanism whereby we can specify 'safe' Perl
modules, much as we do with the Python modules_allow stuff.

There is a lot of infrastructure to support "safe imports" from Python modules; I imagine some of it would be at least reusable as a source of patterns:


  - $ZOPE_HOME/lib/python/AccessControl/ZopeGuards.py has a
    'guarded_import' function, which gets injected into the
    'safe_builtins' mapping as '__import__'.

  - It depends on assertions registered in the ModuleSecurityInfo
    helper in $ZOPE_HOME/lib/python/AccessControl/SecurityInfo.py.

Tres.
--
===============================================================
Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"       http://www.zope.com

_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to