[Zope] Make os.popen() available to scripts

Tino Wildenhain tino at wildenhain.de
Mon Aug 9 12:28:55 EDT 2004 

Hi,

Am Mo, den 09.08.2004 schrieb Simon Forster um 16:55:
> I would like to make os.popen() available to python scripts added via 
> the Zope management interface [1]. Following a previous posting, people 
> pointed me to zope/lib/python/Products/PythonScripts/README.txt and 
> Paul Winkler added to that a URL 
> <http://www.zopelabs.com/cookbook/1074897091>.
> 
> Following the README all I need do is create an __init__.py file with 
> the content:
> 
> from Products.PythonScripts.Utility import allow_module
> allow_module('os.popen')
> 
> in an appropriate products folder. As this got me nowhere I dug around 
> and found that "# These have been relocated, and should be imported 
> from AccessControl" so I modified this to:
> 
> from AccessControl import allow_module
> allow_module('os.popen')
> 
> This I've done and indeed, I have the appropriate product listed in the 
> Control Panel. When I call my testScript, it all works fine up to:
> 
> return popen(cmd_str).read()
> 
> Where cmd_str is a valid string which has been run in a standalone 
> python environment. When I uncomment this line I get endless requests 
> for a username:password pair from the browser.
> 
> Quite obviously I'm doing something wrong. At this point in time I do 
> not understand Zope at all and the more I read, the more confused I get 
> :-(
> 
> Can someone point me in the right direction?

First of all: you are about to open the biggest security
hole one can imagine. If your zope protection
fails somewhere or you pass not fully sanitized
strings from forms to your popen call your system
is fully open for the wild. 

For the rare cases you want to call another program,
you should explicitely hardcode the call and make
sure no raw arguments get passed. 

Be really sure you need to call the external program!
The python library is rich and you can do almost everything
with it. There are a lot of 3rd party python modules
for a lot of purposes.

Ok, if you still are sure, try to do the following:

declare the popen call and declare its return value
(which is a class) protected.

Another handy solution is to write a small
helper function directly into your __init__.py

def mypopen(args):
   return popen(args).read()

and just open this function for python scripts.

(even import popen as orig_popen and use the name popen
for your wrapper is possible)

More information about the Zope mailing list