[Zope-Checkins] CVS: Zope2 - DT_In.py:1.48.4.1 DT_Util.py:1.72.18.1
shane@digicool.com
shane@digicool.com
Thu, 19 Apr 2001 18:52:48 -0400 (EDT)
Update of /cvs-repository/Zope2/lib/python/DocumentTemplate
In directory korak:/tmp/cvs-serv5490
Modified Files:
Tag: RestrictedPythonBranch
DT_In.py DT_Util.py
Log Message:
Converting to use RestrictedPython but it's a work in progress
--- Updated File DT_In.py in package Zope2 --
--- DT_In.py 2001/04/13 19:31:42 1.48
+++ DT_In.py 2001/04/19 22:52:47 1.48.4.1
@@ -406,7 +406,8 @@
__version__='$Revision$'[11:-2]
from DT_Util import ParseError, parse_params, name_param, str
-from DT_Util import render_blocks, InstanceDict, ValidationError, VSEval, expr_globals
+from DT_Util import render_blocks, InstanceDict, ValidationError, \
+ RestrictedEval, expr_globals
from string import find, atoi, join, split, lower
import ts_regex
from DT_InSV import sequence_variables, opt
@@ -445,10 +446,11 @@
if sort=='sequence-item': self.sort=''
if has_key('sort_expr'):
- self.sort_expr=VSEval.Eval(args['sort_expr'], expr_globals)
+ self.sort_expr=RestrictedEval(args['sort_expr'], expr_globals)
if has_key('reverse_expr'):
- self.reverse_expr=VSEval.Eval(args['reverse_expr'], expr_globals)
+ self.reverse_expr=RestrictedEval(args['reverse_expr'],
+ expr_globals)
if has_key('reverse'):
self.reverse=args['reverse']
--- Updated File DT_Util.py in package Zope2 --
--- DT_Util.py 2001/01/22 16:36:16 1.72
+++ DT_Util.py 2001/04/19 22:52:47 1.72.18.1
@@ -87,7 +87,7 @@
import regex, string, math, os
from string import strip, join, atoi, lower, split, find
-import VSEval
+##import VSEval
str=__builtins__['str'] # Waaaaa, waaaaaaaa needed for pickling waaaaa
@@ -157,32 +157,32 @@
except: pass
return 0
-def careful_getitem(md, mapping, key):
- v=mapping[key]
+##def careful_getitem(md, mapping, key):
+## v=mapping[key]
- if type(v) is type(''): return v # Short-circuit common case
+## if type(v) is type(''): return v # Short-circuit common case
- validate=md.validate
- if validate is None or validate(mapping,mapping,None,v,md): return v
- raise ValidationError, key
-
-def careful_getslice(md, seq, *indexes):
- v=len(indexes)
- if v==2:
- v=seq[indexes[0]:indexes[1]]
- elif v==1:
- v=seq[indexes[0]:]
- else: v=seq[:]
-
- if type(seq) is type(''): return v # Short-circuit common case
-
- validate=md.validate
- if validate is not None:
- for e in v:
- if not validate(seq,seq,None,e,md):
- raise ValidationError, 'unauthorized access to slice member'
+## validate=md.validate
+## if validate is None or validate(mapping,mapping,None,v,md): return v
+## raise ValidationError, key
+
+##def careful_getslice(md, seq, *indexes):
+## v=len(indexes)
+## if v==2:
+## v=seq[indexes[0]:indexes[1]]
+## elif v==1:
+## v=seq[indexes[0]:]
+## else: v=seq[:]
+
+## if type(seq) is type(''): return v # Short-circuit common case
+
+## validate=md.validate
+## if validate is not None:
+## for e in v:
+## if not validate(seq,seq,None,e,md):
+## raise ValidationError, 'unauthorized access to slice member'
- return v
+## return v
def careful_range(md, iFirst, *args):
# limited range function from Martijn Pieters
@@ -309,29 +309,89 @@
d['reorder']=reorder
+class DTMLGuard:
+ _md = None
+
+ def __init__(self, ob):
+ self._ob = ob
+
+ def __getattr__(self, name):
+ if name[:1]!='_':
+ inst = self._ob
+ # Try to get the attribute normally so that we don't
+ # accidentally acquire when we shouldn't.
+ try: v=getattr(inst, name)
+ except:
+ if default is not _marker:
+ return default
+ raise
+ md = self._md
+ validate = md.validate
+ if validate is None:
+ return v
+ if hasattr(inst, 'aq_acquire'):
+ return inst.aq_acquire(name, validate, md)
+ if validate(inst, inst, name, v, md):
+ return v
+ raise ValidationError, name
+
+ def __len__(self):
+ return len(self._ob)
+
+ def __getitem__(self, key):
+ mapping = self._ob
+ v = mapping[key]
+ if type(v) is type(''):
+ return v # Short-circuit common case
+ md = self._md
+ validate = md.validate
+ if validate is None or validate(mapping, mapping, None, v, md):
+ return v
+ raise ValidationError, key
+
+ def __getslice__(self, lo, hi):
+ seq = self._ob
+ v = seq[lo:hi]
+ if type(seq) is type(''):
+ return v # Short-circuit common case
+ md = self._md
+ validate = md.validate
+ if validate is not None:
+ for e in v:
+ if not validate(seq, seq, None, e, md):
+ raise ValidationError, (
+ 'unauthorized access to slice member')
+ return v
+
expr_globals={
'__builtins__':{},
- '__guarded_mul__': VSEval.careful_mul,
- '__guarded_getattr__': careful_getattr,
- '__guarded_getitem__': careful_getitem,
- '__guarded_getslice__': careful_getslice,
}
-class Eval(VSEval.Eval):
-
+from RestrictedPython.Eval import RestrictedEval
+
+class Eval(RestrictedEval):
+
def eval(self, mapping):
- d={'_vars': mapping, '_': mapping}
- code=self.code
- globals=self.globals
+ # Create a temporary subclass of DTMLGuard.
+ d = self.globals.copy()
+ class Guard (DTMLGuard): pass
+ Guard._md = mapping
+ d['_guard'] = Guard
+ d['_'] = mapping
+ code = self.code
for name in self.used:
__traceback_info__ = name
try: d[name]=mapping.getitem(name,0)
except KeyError:
- if name=='_getattr':
- d['__builtins__']=globals
- exec compiled_getattr in d
-
- return eval(code,globals,d)
+ # Swallow KeyErrors since the expression
+ # might not actually need the name. If it
+ # does need the name, a NameError will occur.
+ pass
+
+ #print 'eval', str(self)
+ #for k in dir(code):
+ # print '%s: %s' % (k, repr(getattr(code, k)))
+ return eval(code, d)
def name_param(params,tag='',expr=0, attr='name', default_unnamed=1):