"Fossies" - the Fresh Open Source Software Archive

Member "cheetah3-3.2.6.post2/docs/dev_guide/safeDelegation.rst" (20 Apr 2021, 1524 Bytes) of package /linux/www/cheetah3-3.2.6.post2.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format (assuming markdown format). Alternatively you can here view or download the uninterpreted source code file. A member file download can also be achieved by clicking within a package contents listing on the according byte size field. See also the last Fossies "Diffs" side-by-side code changes report for "safeDelegation.rst": 3-3.1.0_vs_3-3.2.0.

Safe Delegation

Safe delegation, as provided by Zope and Allaire's Spectra, is not implemented in Cheetah. The core aim has been to help developers and template maintainers get things done, without throwing unnecessary complications in their way. So you should give write access to your templates only to those whom you trust. However, several hooks have been built into Cheetah so that safe delegation can be implemented at a later date.

It should be possible to implement safe delegation via a future configuration Setting {safeDelegationLevel} (0=none, 1=semi-secure, 2-alcatraz). This is not implemented but the steps are listed here in case somebody wants to try them out and test them.

Of course, you would also need to benchmark your code and verify it does not impact performance when safe delegation is off, and impacts it only modestly when it is on." All necessary changes can be made at compile time, so there should be no performance impact when filling the same TO multiple times.

  1. Only give untrusted developers access to the .tmpl files. (Verifying what this means. Why can't trusted developers access them?)
  2. Disable the {#attr} directive and maybe the {#set} directive.
  3. Use Cheetah's directive validation hooks to disallow references to {self}, etc (e.g. {#if $steal(self.thePrivateVar)} )
  4. Implement a validator for the $placeholders and use it to disallow '__' in $placeholders so that tricks like {$obj.__class__.__dict__} are not possible.