Re: [Zope] build a safe proxy
oh, cool ! I was not aware of that, so that's exactly what I need. Thanks, Eric BREHAULT On 3/16/07, Martijn Pieters <[EMAIL PROTECTED]> wrote: On 3/16/07, Eric Bréhault <[EMAIL PROTECTED]> wrote: > My understanding of PythonScripts is it is a way to allow the import of such > or such module, and the use of such or such method in those modules, but it > doesn't prevent the access to such or such attributes on existing objects, > does it ? It uses the Zope security machinery to determine what access the code has. So the code in a script cannot access any attributes that the user running the code has access to through the web in the first place. -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
On 3/16/07, Eric Bréhault <[EMAIL PROTECTED]> wrote: My understanding of PythonScripts is it is a way to allow the import of such or such module, and the use of such or such method in those modules, but it doesn't prevent the access to such or such attributes on existing objects, does it ? It uses the Zope security machinery to determine what access the code has. So the code in a script cannot access any attributes that the user running the code has access to through the web in the first place. -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
+---[ Eric Br?hault ]-- | My understanding of PythonScripts is it is a way to allow the import of such or | such module, and the use of such or such method in those modules, but it | doesn't prevent the access to such or such attributes on existing objects, does | it ? That's why you subclass it and add whatever checking you want to it. However, by default, you can't access attributes beginning with '_' in python scripts, which I believe was your initial problem, that your proxy object was being subverted by access to an attribute name beginning with '_' -- Andrew Milton [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
My understanding of PythonScripts is it is a way to allow the import of such or such module, and the use of such or such method in those modules, but it doesn't prevent the access to such or such attributes on existing objects, does it ? Eric BREHAULT On 3/16/07, Andrew Milton <[EMAIL PROTECTED]> wrote: +---[ Eric Br?hault ]-- | [snip] | As I do not plan to develop my own script language to do it, I thought I could | use directly Python, and run it using exec. Why not just use Python Scripts? Or a custom subclass of Python Scripts with the added security options you want? -- Andrew Milton [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
On 3/16/07, Eric Bréhault <[EMAIL PROTECTED]> wrote: One important aspect is the ability to create custom action buttons or custom scheduled agents to automate some basic processes over the managed content. As I do not plan to develop my own script language to do it, I thought I could use directly Python, and run it using exec. Use Python Scripts, or Products.PageTemplates.ZRPythonExpr if one-liners will do. These modules take care of sandboxing and applying security restrictions for you. Look at CMFCore.Expression for an example of how to use the latter, it uses the PageTemplates engine to create the compiled expression, together with a expression context (a global namespace for the expressions to access) -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
Eric Bréhault wrote: What would you recommend ? What is the 'official' way to run an untrusted python code with exec and control what this code can do or not ? I'm not sure what you mean by this, but perhaps letting the "untrusted python" use python's xmlrpc libraries to interact with Zope would give you what you're after? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
+---[ Eric Br?hault ]-- | [snip] | As I do not plan to develop my own script language to do it, I thought I could | use directly Python, and run it using exec. Why not just use Python Scripts? Or a custom subclass of Python Scripts with the added security options you want? -- Andrew Milton [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
What I am trying to do is to build a Lotus Domino-like toolkit under Zope/Plone, so basically my product allows people to build their own groupware-oriented business applications directly from the Plone user interface (by designing forms, views, etc...). One important aspect is the ability to create custom action buttons or custom scheduled agents to automate some basic processes over the managed content. As I do not plan to develop my own script language to do it, I thought I could use directly Python, and run it using exec. And yes, it would be insane if it was not controlled and restricted. That is precisely what I am working on. Eric BREHAULT http://www.brehault.net/plomino/ On 3/15/07, Jens Vagelpohl <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 15 Mar 2007, at 21:19, Eric Bréhault wrote: > What would you recommend ? What is the 'official' way to run an > untrusted python code with exec and control what this code can do > or not ? There is no official way because running untrusted code with "exec" is an insane proposition. jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFF+bmzRAx5nvEhZLIRArJQAJ9pyWSElVLIzfJJrA1V95gAem7+FwCgthjU KIBdb/VcWDlWfC0Tzc4dJ2g= =gVBx -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 15 Mar 2007, at 21:19, Eric Bréhault wrote: What would you recommend ? What is the 'official' way to run an untrusted python code with exec and control what this code can do or not ? There is no official way because running untrusted code with "exec" is an insane proposition. jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFF+bmzRAx5nvEhZLIRArJQAJ9pyWSElVLIzfJJrA1V95gAem7+FwCgthjU KIBdb/VcWDlWfC0Tzc4dJ2g= =gVBx -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
On Thu, Mar 15, 2007 at 09:19:29PM +0100, Eric Br?hault wrote: > No :-) > I just want to run untrusted Python code using exec Why exec? That's nearly always a terrible idea. -PW -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
- Original Message - From: "Eric Bréhault" <[EMAIL PROTECTED]> To: Sent: Thursday, March 15, 2007 4:19 PM Subject: Re: [Zope] build a safe proxy No :-) I just want to run untrusted Python code using exec and I need this code to be allowed to access few methods on few Plone portal tools, but nothing else. For instance: portal_membership.getMemberById(id).getProperty('email') would be accepted but: portal_membership.addMember() would be forbidden. I tried to use zope.security.untrustedpython and also I had a look in zope.tales.expressions to understand how it works but I didn't succeed in understanding how I can define what is authorized and what is forbidden. Apparently it must be done using NamesChecker but I haven't found documentation about it (I tried to copy/paste the unit tests but unsuccessfully...). What would you recommend ? What is the 'official' way to run an untrusted python code with exec and control what this code can do or not ? How about an external method? Jonathan ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
No :-) I just want to run untrusted Python code using exec and I need this code to be allowed to access few methods on few Plone portal tools, but nothing else. For instance: portal_membership.getMemberById(id).getProperty('email') would be accepted but: portal_membership.addMember() would be forbidden. I tried to use zope.security.untrustedpython and also I had a look in zope.tales.expressions to understand how it works but I didn't succeed in understanding how I can define what is authorized and what is forbidden. Apparently it must be done using NamesChecker but I haven't found documentation about it (I tried to copy/paste the unit tests but unsuccessfully...). What would you recommend ? What is the 'official' way to run an untrusted python code with exec and control what this code can do or not ? Thanks, Eric BREHAULT On 3/15/07, Andreas Jung <[EMAIL PROTECTED]> wrote: --On 15. März 2007 16:33:56 +0100 Eric Bréhault <[EMAIL PROTECTED]> wrote: > Hello, > > I am trying to build a safe proxy to wrap the Plone portal object in order > to control what is allowed or not. You're trying to reinvent the Zope security machinery? -aj ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] build a safe proxy
--On 15. März 2007 16:33:56 +0100 Eric Bréhault <[EMAIL PROTECTED]> wrote: Hello, I am trying to build a safe proxy to wrap the Plone portal object in order to control what is allowed or not. You're trying to reinvent the Zope security machinery? -aj pgpRsurEkB1sw.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] build a safe proxy
Hello, I am trying to build a safe proxy to wrap the Plone portal object in order to control what is allowed or not. Here is my code: class SafeProxy: def __init__(self, obj): self.__dict__['_obj'] = obj def __getattr__(self, attr): attributes_whitelist=['portal_membership', 'MailHost'] if attr in attributes_whitelist: return getattr(self._obj, attr) else: raise AttributeError, attr+" not allowed in Plomino formula context" def __setattr__(self, attr, val): raise AttributeError, attr+" not allowed in Plomino formula context" Then I use it that way: safeportal=SafeProxy(portal) safeportal.portal_membership safeportal.portal_catalog AttributeError: portal_catalog not allowed in Plomino formula context which is perfect. But my problem is: safeportal._obj.portal_catalog How can I hide completely the SafeProxy _obj ? How can I make sure it can only be used from the SafeProxy class code itself and nowhere else ? How can I turn it private ? (in Python private attributes are supposed to start with 2 underscores: __obj, but it just mangles with the classname: _SafeProxy__obj, so it just guarantees it will not be overwrite by another class, it does not physically protect it) OR (if totally impossible in Python): how can I do it another way ? maybe using zope.proxy.ProxyBase, but i do not find any documentation about it... Thanks in advance, Eric BREHAULT ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )