[Python-Dev] Re: Capabilities (original) (raw)

Zooko zooko@zooko.com
Mon, 10 Mar 2003 13:24:11 -0500

• Previous message: [Python-Dev] Where is OSS used?
• Next message: [Python-Dev] Re: Capabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeremy Hylton <jeremy@alum.mit.edu> wrote:

Exceptions do seem like a problem.

This reminds me of a similar problem. Object A is a powerful object. Object B is a proxy for A which passes through only a subset of A's methods. So B is suitable to give to Object C, which should be able to use the B subset but not the full A set.

The problem is if the B subset of methods includes a callback idiom, in which Object A calls a function provided by its client and passes a reference to itself as an argument.

class A: def register_event_handler(self, handler): self.handlers.append(handler)

def process_events(self):
    # ...
    for handler in self.handlers:
        handler(self)

This allows C full access to object A's methods if C has access to the register_event_handler() method. (Even if A has private data and even if there is no flaw in the proxy or capability enforcement that prevents C from getting access to A through B.)

So the designer of the B proxy has to not only exclude dangerous methods of A, but also has to either exclude methods that lead to this kind of callback, or else make B a two-faced proxy that registers itself instead of C as the handler, forwards the callback, and passes a reference to itself instead of to A in the callback.

Regards,

Zooko

• Previous message: [Python-Dev] Where is OSS used?
• Next message: [Python-Dev] Re: Capabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]