open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable) (original) (raw)
Guido van Rossum guido at python.org
Wed Dec 17 12:26:13 EST 2003
- Previous message: [Python-Dev] Relative import
- Next message: [Python-Dev] rexec.py unuseable
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[Michael Chermside]
I disagree. Right now, having access to a class object basically gives one the ability to create new objects of that type. I think that's just fine... and I don't mind applying it to the file object. I'd think that the thing to do with untrusted code is to deny it access to the 'file' type object, thus denying it the ability to create new 'file's directly.
After all, it's not like file has lots of useful classmethods... client code which is not supposed to create new files has no particular need to access the 'file' object. Oh yes, except that it may have INSTANCES of 'file' and could access f.class. But if it is RESTRICTED code, then the only legitimate use of f.class is to do typechecking (it's arguable whether that is good design, but it does seem to be a legitimate use), so for restricted code we return something like this: class FakeFile: def eq(self, other): return other == file [...]
Are you aware of the original issue, which is that as soon as you have a file instance (which might have been given to you by a very restrictive open() variant), you can always get to the file class using the class attribute? Access to the class attribute is useful for all sorts of reasons.
Guido writes: > Re the capabilities discussion, this is Python 3.0 material if I ever > saw some
I agree. But I can dream, can't I?
Yes, even for 3.0 this is still a dream...
--Guido van Rossum (home page: http://www.python.org/~guido/)
- Previous message: [Python-Dev] Relative import
- Next message: [Python-Dev] rexec.py unuseable
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]