Commit ceef435d authored by Jim Fulton's avatar Jim Fulton

Added protection against the (small) risk that someone could mitate an

object through an augmented assignment (aka inplace) operator.

Also added handling for generator expressions.
parent 912a5266
...@@ -22,7 +22,9 @@ Zope Changes ...@@ -22,7 +22,9 @@ Zope Changes
- Collector #1233: port ZOPE_CONFIG patch from Zope 2.7 to Zope 2.8 - Collector #1233: port ZOPE_CONFIG patch from Zope 2.7 to Zope 2.8
After Zope 2.8.3
Zope 2.8.4
Bugs Fixed Bugs Fixed
...@@ -33,6 +35,13 @@ Zope Changes ...@@ -33,6 +35,13 @@ Zope Changes
- Collector #1926: fixed a typo in _doAddUser when password - Collector #1926: fixed a typo in _doAddUser when password
encryption is enabled. encryption is enabled.
- If a content object implemented any in-place numeric operators,
untrusted code could call them, thus modifying the content.
- If Python 2.4 is used, despite the fact that Python 2.4 is
unsupported, untrusted code could use generator expressions to
gain access to container items.
Zope 2.8.3 (2005/10/18) Zope 2.8.3 (2005/10/18)
Other Other
......
...@@ -47,6 +47,7 @@ _getitem_name = ast.Name("_getitem_") ...@@ -47,6 +47,7 @@ _getitem_name = ast.Name("_getitem_")
_getiter_name = ast.Name("_getiter_") _getiter_name = ast.Name("_getiter_")
_print_target_name = ast.Name("_print") _print_target_name = ast.Name("_print")
_write_name = ast.Name("_write_") _write_name = ast.Name("_write_")
_inplacevar_name = ast.Name("_inplacevar_")
# Constants. # Constants.
_None_const = ast.Const(None) _None_const = ast.Const(None)
...@@ -239,9 +240,9 @@ class RestrictionMutator: ...@@ -239,9 +240,9 @@ class RestrictionMutator:
# for x in expr: # for x in expr:
# to # to
# for x in _getiter(expr): # for x in _getiter(expr):
# # Note that visitListCompFor is the same thing.
# #
# Note that visitListCompFor is the same thing. Exactly the same # Also for list comprehensions:
# transformation is needed to convert
# [... for x in expr ...] # [... for x in expr ...]
# to # to
# [... for x in _getiter(expr) ...] # [... for x in _getiter(expr) ...]
...@@ -251,6 +252,15 @@ class RestrictionMutator: ...@@ -251,6 +252,15 @@ class RestrictionMutator:
visitListCompFor = visitFor visitListCompFor = visitFor
def visitGenExprFor(self, node, walker):
# convert
# (... for x in expr ...)
# to
# (... for x in _getiter(expr) ...)
node = walker.defaultVisitNode(node)
node.iter = ast.CallFunc(_getiter_name, [node.iter])
return node
def visitGetattr(self, node, walker): def visitGetattr(self, node, walker):
"""Converts attribute access to a function call. """Converts attribute access to a function call.
...@@ -365,6 +375,21 @@ class RestrictionMutator: ...@@ -365,6 +375,21 @@ class RestrictionMutator:
This could be a problem if untrusted code got access to a This could be a problem if untrusted code got access to a
mutable database object that supports augmented assignment. mutable database object that supports augmented assignment.
""" """
if node.node.__class__.__name__ == 'Name':
node = walker.defaultVisitNode(node)
newnode = ast.Assign(
[ast.AssName(node.node.name, OP_ASSIGN)],
ast.CallFunc(
_inplacevar_name,
[ast.Const(node.op),
ast.Name(node.node.name),
node.expr,
]
),
)
newnode.lineno = node.lineno
return newnode
else:
node.node.in_aug_assign = True node.node.in_aug_assign = True
return walker.defaultVisitNode(node) return walker.defaultVisitNode(node)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment