Re: [Zope-dev] SVN: Zope/trunk/ OFS.ObjectManager now fully implements the zope.container.IContainer interface
Tres Seaver wrote: > Hanno Schlichting wrote: >> Tres Seaver wrote: >>> Using __setitem__ and __delitem__ has security implicatinos for >>> untrusted code: how are you addressing them? >> Maybe I'm missing some knowledge about the security machinery then. I >> thought the methods wouldn't be available to untrusted code at all, as >> they start with an underscore. You simply won't be able to write >> om['id'] in untrusted code and still need to use the existing API. > > You don't access them by name when doing 'del om["id"]' or 'om["id"] = > None', so the underscore doesn't matter. I just tried from a > PythonScript and got a TypeError out of the RestrictedPython.Guards > module, so I guess that the obvious cases are covered. Ok. I'll need to add more tests for these cases then. Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] SVN: Zope/trunk/ OFS.ObjectManager now fully implements the zope.container.IContainer interface
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanno Schlichting wrote: > Tres Seaver wrote: >> Using __setitem__ and __delitem__ has security implicatinos for >> untrusted code: how are you addressing them? > > Maybe I'm missing some knowledge about the security machinery then. I > thought the methods wouldn't be available to untrusted code at all, as > they start with an underscore. You simply won't be able to write > om['id'] in untrusted code and still need to use the existing API. You don't access them by name when doing 'del om["id"]' or 'om["id"] = None', so the underscore doesn't matter. I just tried from a PythonScript and got a TypeError out of the RestrictedPython.Guards module, so I guess that the obvious cases are covered. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJotb/+gerLs4ltQ4RAl9eAKCr/dhaosmwFj4xlLFgQ7yu8o+Y2wCfR+Qp Civwmg8YYSw7mtIaP5xlS1w= =NdGJ -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] SVN: Zope/trunk/ OFS.ObjectManager now fully implements the zope.container.IContainer interface
Tres Seaver wrote: > Using __setitem__ and __delitem__ has security implicatinos for > untrusted code: how are you addressing them? Maybe I'm missing some knowledge about the security machinery then. I thought the methods wouldn't be available to untrusted code at all, as they start with an underscore. You simply won't be able to write om['id'] in untrusted code and still need to use the existing API. Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] SVN: Zope/trunk/ OFS.ObjectManager now fully implements the zope.container.IContainer interface and no longer just claims to do so. See the changelog for details and how backwards compa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanno Schlichting wrote: > -- Acquisition has been made aware of __parent__ pointers. This allows > +- OFS.ObjectManager now fully implements the zope.container.IContainer > + interface. For the last Zope2 releases it already claimed to implement the > + interface, but didn't actually full-fill the interface contract. This means > + you can start using more commonly used Python idioms to access objects > inside > + object managers. Complete dictionary-like access and container methods > + including iteration are now supported. For each class derived from > + ObjectManager you can use for any instance om: `om.keys()` instead of > + `om.objectIds()`, `om.values()` instead of `om.objectValues()`, but also > + `om.items()`, `ob.get('id')`, `ob['id']`, `'id' in om`, `iter(om)`, > + `len(om)`, `om['id'] = object()` instead of `om._setObject('id', object())` > + and `del ob['id']`. Using __setitem__ and __delitem__ has security implicatinos for untrusted code: how are you addressing them? Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJosqw+gerLs4ltQ4RAsUBAJ9R2rL6Ook0qfmSCReEoKDbce5ZEgCeMqho fBNQ/GKp66MCvEhYh67/9lA= =/kCT -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )