[zope2-tracker] [Bug 659968] Re: guarded_import does not support 5-args form

maurits 659968 at bugs.launchpad.net
Wed Oct 20 20:04:48 EDT 2010 

I see the same, so I will add some notes here.  I run into this when I
am trying to trigger an error by writing some tests for the old
unicodeTestIn python script in Products.Archetypes. This is with the
current plone-coredev/4.0 which uses a checkout of AccessControl from
the 2.12. branch of Zope2.

It can be reproduced with a Script (Python) with this admittedly silly
line:

    return u'\xeb' in [u'\xeb'.encode('utf-8')] and 'yes' or 'no'

This raises an Unauthorized exception:

     Module AccessControl.ZopeGuards, line 283, in guarded_import
    Unauthorized: Using import with a level specification isn't supported by AccessControl: _warnings

When I comment out the 'if level != -1:' test in AccessControl that
would raise the above exception, the hidden problem in the silly line
becomes visible as the code wants to show this warning:

    UnicodeWarning: Unicode equal comparison failed to convert both
arguments to Unicode - interpreting them as being unequal

I would very much prefer to see this last UnicodeWarning as it helps me
to see the problem in my code, instead of the cryptic Unauthorized
error.

>From the python 2.6 docstring for __import__ it does not look dangerous
to allow level=0 as argument as that simply means doing an absolute
import:

    Level is used to determine whether to perform 
    absolute or relative imports.  -1 is the original strategy of attempting
    both absolute and relative imports, 0 is absolute, a positive number
    is the number of parent directories to search relative to the current module.

But AccessControl has some scary code so I can very much imagine that
you are hesitant to change the code any further. Feels like opening
Pandora's box... Still, allowing level=0 looks safe to me; in our case
it seems to have the same effect as level=-1 because relative imports
probably do not have much meaning in a RestrictedPython context. With a
pdb at the end of the guarded_import method, this is what I see:

    (Pdb) __import__('_warnings', globals, locals, fromlist, level=-1)
    <module '_warnings' (built-in)>
    (Pdb) __import__('_warnings', globals, locals, fromlist, level=0)
    <module '_warnings' (built-in)>
    (Pdb) __import__('_warnings', globals, locals, fromlist, level=1)
    *** ValueError: Attempted relative import in non-package

So I suggest changing the added test to 'if level > 0: raise
Unauthorized(...)'.

For completeness sake, if I try that same silly Script (Python) on Plone 3.3.5 (python 2.4, Zope 2.10) I get the more familiar
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 0: ordinal not in range(128)

-- 
guarded_import does not support 5-args form
https://bugs.launchpad.net/bugs/659968
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.

More information about the zope2-tracker mailing list