(I, Zooko, wrote the lines prepended with "> > ".)
Ben Laurie wrote:
>
> > In the capability way of life, it is still the case that access to the ZipFile
> > class gives you the ability to open files anywhere in the system! (That is: I'm
> > assuming for now that we implement capabilities without re-writing every
> > dangerous class in the Library.)
...
> It would probably be helpful to explain what you (or, at least, I) would
> do if you (I) were writing from scratch, rather then "taming" the
> existing libraries. In this case, Zipfile would require a file
> capability to be passed to it at construction time, and so would become
> non-dangerous, which is, I think, where Guido is coming from.
Thank you. You are right about how I would do it, and I think you are right
that this fits with Guido's approach, too.
I would make the constructor of the ZipFile class take a file object, and hide
(at least from unprivileged code) the option of passing a filename to the
constructor. This would make it so that no authority is gained by importing the
zipfile module.
Regards,
Zooko
http://zooko.com/
^-- under re-construction: some new stuff, some broken links
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4