[Zope] Re: [Crew] External Methods?

[Brian Lloyd]

> I understand the security problems inherent in 
> ExternalMethods; unfortunately,
> without them, Zope is merely an "also-ran" in the web 
> applicaton race, from my
> perspective.  DTML in isolation is not an "ASP-killer."
> 
> I'm CC'ing the Zope list, in hopes that someone there can 
> either allay or slay
> our fears.
> 
> It seems to me that the security problem is that 
> ExternalMethods can get access
> to "sibling objects" of the object on which they are invoked, 
> right?  I mean, if
> we could make the siblings inaccessible, and acquired 
> properties read-only, then
> we should be ok, no?  Ugh, I don't grok acquisition well 
> enough to tackle that
> myself, I fear.

Well, it's actually deeper than that. You are correct in saying
that DTML alone is not an ASP-killer. Consider the similarities
between Zope and, for example, ASP/COM (though the same holds true
for practically any other system as well):

ASP lets you use the services provided by (COM) objects, which may 
be provided by the server or provided independently. I'm sure that
MS tries to make the server-provided objects fairly safe, but there
is _nothing_ stopping a programmer from writing and installing a COM
object with an evil() method that wipes out your C: drive, except the
fact that presumably the sysadmin exercises some control over making
these independent services available.

The same holds true for Zope (and any other app server out there). 
Like ASP/COM, External Methods give you the ability to provide more 
powerful services for use by your application. It also gives you 
exactly the same problems (though I'm sure that evil() method could 
be developed in a quarter of the time in Python :)

Basically, with power comes responsibility, and I can't really imagine
any system that could _safely_ allow possibly-untrusted people to write
(basically) arbitrary code. It's not even really a matter of what
services
are or are not available to those people. I'm sure that many, many hours

and much brain-power went into the design of Java's security mechanisms.
Even so, if I were a web site manager I still couldn't let untrusted
users write their own arbitrary java code to run in my web or app
server.
Even after I had figured out a way to wall off every service I could
think
of that could possibly be harmful, the user could still probably just do
the Java equivalent of:

  while 1:
    pass

Zope DTML goes to a good deal of trouble to minimize these problems 
in DTML itself, and we would certainly consider any concrete ideas
on how to make External Methods safer. Can you give me some examples
of other app servers that you feel deal with safety of external 
services in a better way? I'd be happy to do some looking into how
others are dealing with this.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com