[Python-Dev] Re: Capabilities

Zooko zooko@zooko.com
Mon, 10 Mar 2003 13:24:11 -0500

 Jeremy Hylton <jeremy@alum.mit.edu> wrote:
> Exceptions do seem like a problem.

This reminds me of a similar problem.  Object A is a powerful object.  Object B 
is a proxy for A which passes through only a subset of A's methods.  So B is 
suitable to give to Object C, which should be able to use the B subset but not 
the full A set.

The problem is if the B subset of methods includes a callback idiom, in which 
Object A calls a function provided by its client and passes a reference to 
itself as an argument.

class A:
    def register_event_handler(self, handler):

    def process_events(self):
        # ...
        for handler in self.handlers:

This allows C full access to object A's methods if C has access to the 
register_event_handler() method.  (Even if A has private data and even if there 
is no flaw in the proxy or capability enforcement that prevents C from getting 
access to A through B.)

So the designer of the B proxy has to not only exclude dangerous methods of A, 
but also has to either exclude methods that lead to this kind of callback, or 
else make B a two-faced proxy that registers itself instead of C as the handler, 
forwards the callback, and passes a reference to itself instead of to A in the