On Apr 10, 2009, at 3:20 PM, Shane Hathaway wrote:

> Martijn Faassen wrote:
>> Stephan Richter wrote:
>>> On Friday 10 April 2009, Jim Fulton wrote:
>>>>> Unfortunately these are ZC's use cases.
>>>> They are not just ZC's use cases.
>>> Keas is relying on that safety heavily too. Anyone who wants to  
>>> build a secure
>>> DSL based on Python really wants zope.security.
>> Okay, second case of such usage noticed.
>> One thing that worries me is that PyPy folks keep saying it probably
>> isn't really secure, though they refuse to specify why not when Chris
>> Withers tried to find out last year at EuroPython.
> I suspect that's because Python allows anything by default;
> zope.security and RestrictedPython only provide a way to close known
> holes.

Wrong in the case of zope.security.  zope.security uses security  
proxies that only allow what is specifically allowed and deny  
everything else.  Because zope.proxy is written in C, there's no way  
to defeat it in Python.
The other potential holes I'm aware of are with:

- rocks, which I'm very conservative with, and

- __builtins__.  You have to construct builtins very carefully, which  
we do and make sure you avoid certain problematic builtins, which we  
also do.

It's hard to guess what they might be referring to, since they don't  
provide any specifics.


Jim Fulton
Zope Corporation

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to