[Zope-dev] audit of RestrictedPython for Python 2.7

Hanno Schlichting hanno at hannosch.eu
Fri Jul 9 09:16:55 EDT 2010


Hi David,

awesome work!

Sidnei or Stephan, can one of you comment on David's approach or offer a review?

Cheers,
Hanno

On Fri, Jul 9, 2010 at 5:42 AM, David Glick <davidglick at groundwire.org> wrote:
> I am done (as far as I can tell) evaluating RestrictedPython to see if
> changes are needed to support Python 2.7. This is the first time I have
> done this, so would appreciate if someone else can look over my work to
> make sure I'm not missing something important.  I'll describe my process
> and findings below.
>
> The basic summary is that Python 2.7 adds a small number of syntactic
> features and they are already handled adequately by RestrictedPython.  I
> added some tests for these on a branch,
> http://svn.zope.org/repos/main/RestrictedPython/branches/davisagli-python27,
> which I can merge once someone else has looked over them. In addition, I
> discovered the omission of a name check for the "from x import y" style
> import; this is also fixed on the branch.
>
> To go into detail...
>
> I started by reading RestrictedPython (henceforth referred to as RP) to
> familiarize myself with how it works. Next I read the "What's New in
> Python 2.7" document and noted features that might require changes in
> RP. Then I went through each of these and looked at the corresponding
> changes in the Python compiler, bytecode generator and evaluator to
> further check on whether changes were needed. Here are the items I
> checked and my conclusions...
>
> - dict and set comprehensions: These need to use RP's safe _getitem_ to
> iterate. This was already taken care of because these new comprehensions
> use the same ListCompFor AST node that list comprehensions do.
>
> - set literals: These build a new set based on the result of evaluating
> other AST nodes that RP already protects, so should be safe.
>
> - multiple context managers in one with statement: I wrote a test to
> confirm that the existing name check for context managers still works
> when there are multiple ones.
>
> - the 'with' statement now uses a new opcode SETUP_WITH that does an
> unprotected lookup of the '__enter__' and '__exit__' methods of the
> context manager.  I don't think this is a problem, since methods
> starting with an underscore can't be defined in RP.
>
> - dictionary views: these don't introduce new builtins or syntax, so I
> don't think changes are necessary. To allow access to them in RP in Zope
> 2 we would need to adjust the dict method whitelist in
> AccessControl.ZopeGuards to allow viewitems, viewkeys, and viewvalues.
>
> - new builtins memoryview, bytes, and bytearray: For now I punted and
> these are not included in RP's safe_builtins list. memoryview and
> bytearray should probably not be added. bytes is just a synonym for str
> in Python 2.7 afaict, so would probably be okay to add.
>
> - explicit relative imports (from .x import y): These are covered by the
> name check I added (as noted above in the summary) for "from x import y"
> imports in general.
>
> - except x as y: Added a test to show that this is already covered.
>
> Finally, to double-check my work I did diffs of Lib/compiler/ast.py and
> Python/ceval.c in the Python source to check for any new AST nodes or
> opcodes that I had overlooked above. This didn't yield any new concerns
> that I hadn't already considered.
>
> peace,
> David


More information about the Zope-Dev mailing list