From c9987844b347d2e98a1b29af2c6d45caf0c2fa8b Mon Sep 17 00:00:00 2001 From: helmutm Date: Sat, 4 Aug 2007 08:46:32 +0000 Subject: [PATCH] release security checking for 'unrestricted_objects' git-svn-id: svn://svn.cy55.de/Zope3/src/cybertools/trunk@1877 fd906abe-77d9-0310-91a1-e0d9ade77398 --- pyscript/script.py | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/pyscript/script.py b/pyscript/script.py index 2fdd222..6f51be7 100644 --- a/pyscript/script.py +++ b/pyscript/script.py @@ -24,16 +24,52 @@ from cStringIO import StringIO from persistent import Persistent from zope.proxy import removeAllProxies from zope.security.untrustedpython.builtins import SafeBuiltins -from zope.security.untrustedpython.rcompile import compile +#from zope.security.untrustedpython.rcompile import compile from zope.traversing.api import getParent, getPath from zope.app.container.contained import Contained -#from zope.app.interpreter.interfaces import IInterpreter from zope.interface import implements from zope.app.i18n import ZopeMessageFactory as _ from cybertools.pyscript.interfaces import IPythonScript, IScriptContainer +import compiler.pycodegen +import RestrictedPython.RCompile +from RestrictedPython.SelectCompiler import ast +from zope.security.untrustedpython.rcompile import RestrictionMutator as BaseRM + +unrestricted_objects = ('rpy', 'r') + +def compile(text, filename, mode): + if not isinstance(text, basestring): + raise TypeError("Compiled source must be string") + gen = RExpression(text, str(filename), mode) + gen.compile() + return gen.getCode() + +class RExpression(RestrictedPython.RCompile.RestrictedCompileMode): + + CodeGeneratorClass = compiler.pycodegen.ExpressionCodeGenerator + + def __init__(self, source, filename, mode = "eval"): + self.mode = mode + RestrictedPython.RCompile.RestrictedCompileMode.__init__( + self, source, filename) + self.rm = RestrictionMutator() + +class RestrictionMutator(BaseRM): + + unrestricted_objects = unrestricted_objects + + def visitGetattr(self, node, walker): + _getattr_name = ast.Name("getattr") + node = walker.defaultVisitNode(node) + if node.expr.name in self.unrestricted_objects: + return node # no protection + return ast.CallFunc(_getattr_name, + [node.expr, ast.Const(node.attrname)]) + + class PythonScript(Contained, Persistent): """Persistent Python Page - Content Type """