On Apr 10, 2009, at 3:20 PM, Shane Hathaway wrote: > Martijn Faassen wrote: >> Stephan Richter wrote: >>> On Friday 10 April 2009, Jim Fulton wrote: >>>>> Unfortunately these are ZC's use cases. >>>> They are not just ZC's use cases. >>> Keas is relying on that safety heavily too. Anyone who wants to >>> build a secure >>> DSL based on Python really wants zope.security. >> >> Okay, second case of such usage noticed. >> >> One thing that worries me is that PyPy folks keep saying it probably >> isn't really secure, though they refuse to specify why not when Chris >> Withers tried to find out last year at EuroPython. > > I suspect that's because Python allows anything by default; > zope.security and RestrictedPython only provide a way to close known > holes.
Wrong in the case of zope.security. zope.security uses security proxies that only allow what is specifically allowed and deny everything else. Because zope.proxy is written in C, there's no way to defeat it in Python. The other potential holes I'm aware of are with: - rocks, which I'm very conservative with, and - __builtins__. You have to construct builtins very carefully, which we do and make sure you avoid certain problematic builtins, which we also do. It's hard to guess what they might be referring to, since they don't provide any specifics. Jim -- Jim Fulton Zope Corporation _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )