Dieter Maurer wrote:
Philipp von Weitershausen wrote at 2006-9-28 11:22 +0200:
The last time this was discussed with Jim, the idea was to try to use
Zope 3's security proxy approach in Zope 2 for Python Script security
- Jim and I had some ideas I need to dredge up from the back of my
I am quite fearful in this regard:
Lots of existing code rely on the fact that trusted code
can do anything without to worry about security.
As security proxies restrict trusted code, too (though trusted
code can remove the wrapper), we might get more security
at the cost of massive backward incompatibility.
I fully agree that this is dangerous.
The idea we had is to use security proxies that only exist inside of
untrusted code, but do not leak out into trusted code. Anything that
enters trusted code is wrapped in such security proxies.
Imagine a security proxy that only returns security-proxied objects, but
does not security-proxy objects passed to any of its method parameters.
This, hopefully, will allow the untrusted code to run with the security
machinery without affecting the rest of the codebase.
The devil is in the details though.
Zope3-dev mailing list