[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ Added
protection against the (small) risk that someone could mitate an
Jim Fulton
jim at zope.com
Wed Oct 26 13:12:33 EDT 2005
Log message for revision 39644:
Added protection against the (small) risk that someone could mitate an
object through an augmented assignment (aka inplace) operator.
Also added handling for generator expressions.
Changed:
U Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
U Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py
-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2005-10-26 17:12:30 UTC (rev 39643)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2005-10-26 17:12:32 UTC (rev 39644)
@@ -22,8 +22,10 @@
- Collector #1233: port ZOPE_CONFIG patch from Zope 2.7 to Zope 2.8
- After Zope 2.8.3
+
+ Zope 2.8.4
+
Bugs Fixed
- Collector #1927: Modified ZReST not to store rendered / warnings
@@ -33,6 +35,13 @@
- Collector #1926: fixed a typo in _doAddUser when password
encryption is enabled.
+ - If a content object implemented any in-place numeric operators,
+ untrusted code could call them, thus modifying the content.
+
+ - If Python 2.4 is used, despite the fact that Python 2.4 is
+ unsupported, untrusted code could use generator expressions to
+ gain access to container items.
+
Zope 2.8.3 (2005/10/18)
Other
Modified: Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py 2005-10-26 17:12:30 UTC (rev 39643)
+++ Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py 2005-10-26 17:12:32 UTC (rev 39644)
@@ -47,6 +47,7 @@
_getiter_name = ast.Name("_getiter_")
_print_target_name = ast.Name("_print")
_write_name = ast.Name("_write_")
+_inplacevar_name = ast.Name("_inplacevar_")
# Constants.
_None_const = ast.Const(None)
@@ -239,9 +240,9 @@
# for x in expr:
# to
# for x in _getiter(expr):
+ # # Note that visitListCompFor is the same thing.
#
- # Note that visitListCompFor is the same thing. Exactly the same
- # transformation is needed to convert
+ # Also for list comprehensions:
# [... for x in expr ...]
# to
# [... for x in _getiter(expr) ...]
@@ -251,6 +252,15 @@
visitListCompFor = visitFor
+ def visitGenExprFor(self, node, walker):
+ # convert
+ # (... for x in expr ...)
+ # to
+ # (... for x in _getiter(expr) ...)
+ node = walker.defaultVisitNode(node)
+ node.iter = ast.CallFunc(_getiter_name, [node.iter])
+ return node
+
def visitGetattr(self, node, walker):
"""Converts attribute access to a function call.
@@ -365,8 +375,23 @@
This could be a problem if untrusted code got access to a
mutable database object that supports augmented assignment.
"""
- node.node.in_aug_assign = True
- return walker.defaultVisitNode(node)
+ if node.node.__class__.__name__ == 'Name':
+ node = walker.defaultVisitNode(node)
+ newnode = ast.Assign(
+ [ast.AssName(node.node.name, OP_ASSIGN)],
+ ast.CallFunc(
+ _inplacevar_name,
+ [ast.Const(node.op),
+ ast.Name(node.node.name),
+ node.expr,
+ ]
+ ),
+ )
+ newnode.lineno = node.lineno
+ return newnode
+ else:
+ node.node.in_aug_assign = True
+ return walker.defaultVisitNode(node)
def visitImport(self, node, walker):
"""Checks names imported using checkName()."""
More information about the Zope-Checkins
mailing list