Dieter Maurer wrote:
Philipp von Weitershausen wrote at 2006-9-28 11:22 +0200:
...
The last time this was discussed with Jim, the idea was to try to use
Zope 3's security proxy approach in Zope 2 for Python Script security
- Jim and I had some ideas I need to dredge up from the back of my
mind.


I am quite fearful in this regard:

  Lots of existing code rely on the fact that trusted code
  can do anything without to worry about security.

  As security proxies restrict trusted code, too (though trusted
  code can remove the wrapper), we might get more security
  at the cost of massive backward incompatibility.


I fully agree that this is dangerous.

The idea we had is to use security proxies that only exist inside of untrusted code, but do not leak out into trusted code. Anything that enters trusted code is wrapped in such security proxies.

Imagine a security proxy that only returns security-proxied objects, but does not security-proxy objects passed to any of its method parameters. This, hopefully, will allow the untrusted code to run with the security machinery without affecting the rest of the codebase.

The devil is in the details though.

Regards,

Martijn


_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to