Python Scripts contain python code that gets executed when you call the
script by:
- Calling the script through the web by going to its location with a
web browser.
- Calling the script from another script object.
- Calling the script from a method object, such as a DTML Method.
Python Scripts can contain a "safe" subset of the python language.
Python Scripts must be safe because they can be potentially edited by
many different users through an insecure medium like the web. The
following safety issues drive the need for secure Python Scripts:
- Because many users can use Zope, a Python Script must make sure it
does not allow a user to do something they are not allowed to do,
like deleting an object they do not have permission to delete.
Because of this requirement, Python Scripts do many security checks
in the course of their execution.
- Because Python Scripts can be edited through the insecure medium of
the web, they are not allowed access to the Zope server's
file-system. Normal Python builtins like
open
are, therefore,
not allowed.
- Because many standard Python modules break the above two security
restrictions, only a small subset of Python modules may be imported
into a Python Scripts with the "import" statement unless they have
been validated by Zope's security policy. Currently, the following
standard python modules have been validated:
- string
- math
- random
- whrandom (deprecated in Python; aliased BBB support will be
removed in Zope 2.10).
- Products.PythonScripts.standard
- Because it allows you to execute arbitrary python code, the python
"exec" statement is not allowed in Python methods.
- Because they may represent or cause security violations, some
Python builtin functions are not allowed. The following
Python builtins are not allowed:
- open
- input
- raw_input
- eval
- execfile
- compile
- type
- coerce
- intern
- dir
- globals
- locals
- vars
- buffer
- reduce
- Other builtins are restricted in nature. The following builtins
are restricted:
- range
- Due to possible memory denial of service attacks, the
range builtin is restricted to creating ranges less than 10,000
elements long.
- filter, map, tuple, list
- For the same reason, builtins
that construct lists from sequences do not operate on strings.
- getattr, setattr, delattr
- Because these may enable Python
code to circumvent Zope's security system, they are replaced with
custom, security constrained versions.
- In order to be consistent with the Python expressions
available to DTML, the builtin functions are augmented with a
small number of functions and a class:
- test
- namespace
- render
- same_type
- DateTime
- Because the "print" statement cannot operate normally in Zope,
its effect has been changed. Rather than sending text to
stdout, "print" appends to an internal variable. The special
builtin name "printed" evaluates to the concatenation of all
text printed so far during the current execution of the
script.