blob: dd1a8aa4dada38f217e740a769cc5a0f3787d750 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Safe Delegation}
\label{safeDelegation}
% @@MO: Does this really belong in the Developers' Guide or any guide?
% It's more of a wiki Wishlist item, no? Especially since nobody has
% expressed a need for it.
Safe delegation, as provided by Zope and Allaire's Spectra, is not implemented
in Cheetah. The core aim has been to help developers and template maintainers
get things done, without throwing unnecessary complications in their
way. So you should give write access to your templates only to those whom you
trust. However, several hooks have been built into Cheetah so that safe
delegation can be implemented at a later date.
It should be possible to implement safe delegation via a future configuration
Setting \code{safeDelegationLevel} (0=none, 1=semi-secure, 2-alcatraz). This
is not implemented but the steps are listed here in case somebody wants to try
them out and test them.
Of course, you would also need to benchmark your code
and verify it does not impact performance when safe delegation is off, and
impacts it only modestly when it is on." All necessary changes can be made
at compile time, so there should be no performance impact when filling the
same TO multiple times.
\begin{enumerate}
\item Only give untrusted developers access to the .tmpl files.
(Verifying what this means. Why can't trusted developers access them?)
\item Disable the \code{\#attr} directive and maybe the \code{\#set} directive.
\item Use Cheetah's directive validation hooks to disallow
references to \code{self}, etc
(e.g. \code{\#if \$steal(self.thePrivateVar)} )
\item Implement a validator for the \$placeholders and use it
to disallow '\_\_' in \$placeholders so that tricks like
\code{\$obj.\_\_class\_\_.\_\_dict\_\_} are not possible.
\end{enumerate}
|
