[Python-Dev] Capabilities

Zooko zooko@zooko.com
Thu, 03 Apr 2003 08:29:57 -0500


(I, Zooko, wrote the lines prepended with "> > ".)

 Ben Laurie wrote:
>
> > In the capability way of life, it is still the case that access to the ZipFile 
> > class gives you the ability to open files anywhere in the system!  (That is: I'm 
> > assuming for now that we implement capabilities without re-writing every 
> > dangerous class in the Library.)
...
> It would probably be helpful to explain what you (or, at least, I) would 
> do if you (I) were writing from scratch, rather then "taming" the 
> existing libraries. In this case, Zipfile would require a file 
> capability to be passed to it at construction time, and so would become 
> non-dangerous, which is, I think, where Guido is coming from.

Thank you.  You are right about how I would do it, and I think you are right 
that this fits with Guido's approach, too.

I would make the constructor of the ZipFile class take a file object, and hide 
(at least from unprivileged code) the option of passing a filename to the 
constructor.  This would make it so that no authority is gained by importing the 
zipfile module.

Regards,

Zooko

http://zooko.com/
         ^-- under re-construction: some new stuff, some broken links