[Python-Dev] Re: Capabilities
Mon, 10 Mar 2003 13:24:11 -0500
Jeremy Hylton <email@example.com> wrote:
> Exceptions do seem like a problem.
This reminds me of a similar problem. Object A is a powerful object. Object B
is a proxy for A which passes through only a subset of A's methods. So B is
suitable to give to Object C, which should be able to use the B subset but not
the full A set.
The problem is if the B subset of methods includes a callback idiom, in which
Object A calls a function provided by its client and passes a reference to
itself as an argument.
def register_event_handler(self, handler):
for handler in self.handlers:
This allows C full access to object A's methods if C has access to the
register_event_handler() method. (Even if A has private data and even if there
is no flaw in the proxy or capability enforcement that prevents C from getting
access to A through B.)
So the designer of the B proxy has to not only exclude dangerous methods of A,
but also has to either exclude methods that lead to this kind of callback, or
else make B a two-faced proxy that registers itself instead of C as the handler,
forwards the callback, and passes a reference to itself instead of to A in the