[Python-Dev] known obvious thing or bug (rexec)?

[Guido van Rossum]

> I agree (but I have said that in past) the best thing is to
> deprecate/rip out rexec.  I have looked a bit at zope.security, it
> seems bases on a better model, maybe if it's successful it could be
> incorparated in the std lib in the future ...

But of course to some extent Zope's security depends on some of the
features of Python's security (like being able to override
__builtins__).

Though especially the Zope3 approach, using security proxies
implemented in C, seems quite safe: *no* attribute can be accessed
without confirmation from the security checker.  In this situation,
type(x) will returned a security proxy for the type of x; type is
replaced with a security-aware version when executing untrusted code.

I note that we're finding it convenient to let __str__ and __repr__
bypass the security proxy though.  This means that str() of a
security-proxy-wrapped container will call str() on the unwrapped
items inside the container.  Of course, this simply means that __str__
and __repr__ should not reveal sensitive information; not a big burden
IMO.

Disclaimer: I know shit about security. :-(

--Guido van Rossum (home page: http://www.python.org/~guido/)