Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
erp5
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Leo Le Bouter
erp5
Commits
8605209d
Commit
8605209d
authored
Sep 02, 2014
by
Arnaud Fontaine
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
RestrictedPython: Add permissions to use defaultdict and OrderedDict (collections module).
parent
73bc06bf
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
34 additions
and
15 deletions
+34
-15
product/ERP5Type/patches/Restricted.py
product/ERP5Type/patches/Restricted.py
+34
-15
No files found.
product/ERP5Type/patches/Restricted.py
View file @
8605209d
...
@@ -23,6 +23,8 @@ RestrictionMutator.checkName = RestrictionMutator.checkAttrName = \
...
@@ -23,6 +23,8 @@ RestrictionMutator.checkName = RestrictionMutator.checkAttrName = \
from
Acquisition
import
aq_acquire
from
Acquisition
import
aq_acquire
from
AccessControl
import
getSecurityManager
from
AccessControl
import
getSecurityManager
from
AccessControl
import
allow_module
,
allow_class
,
allow_type
from
AccessControl
import
ModuleSecurityInfo
from
AccessControl.ZopeGuards
import
(
safe_builtins
,
_marker
,
Unauthorized
,
from
AccessControl.ZopeGuards
import
(
safe_builtins
,
_marker
,
Unauthorized
,
aq_validate
,
guard
,
guarded_getattr
,
guarded_iter
,
SafeIter
,
NullIter
,
aq_validate
,
guard
,
guarded_getattr
,
guarded_iter
,
SafeIter
,
NullIter
,
ContainerAssertions
,
GuardedDictType
,
_dict_white_list
)
ContainerAssertions
,
GuardedDictType
,
_dict_white_list
)
...
@@ -113,34 +115,51 @@ def get_set_pop(s, name):
...
@@ -113,34 +115,51 @@ def get_set_pop(s, name):
return
v
return
v
return
guarded_pop
return
guarded_pop
_set_white_get
=
{
def
_check_access_wrapper
(
expected_type
,
white_list_dict
):
'add'
:
1
,
'clear'
:
1
,
'copy'
:
1
,
'difference'
:
1
,
'difference_update'
:
1
,
def
_check_access
(
name
,
value
):
'discard'
:
1
,
'intersection'
:
1
,
'intersection_update'
:
1
,
'isdisjoint'
:
1
,
# Check whether value is a method of expected type
'issubset'
:
1
,
'issuperset'
:
1
,
'pop'
:
get_set_pop
,
'remove'
:
1
,
'symmetric_difference'
:
1
,
'symmetric_difference_update'
:
1
,
'union'
:
1
,
'update'
:
1
}.
get
def
_check_set_access
(
name
,
value
):
# Check whether value is a set method
self
=
getattr
(
value
,
'__self__'
,
None
)
self
=
getattr
(
value
,
'__self__'
,
None
)
if
self
is
None
:
# item
if
self
is
None
:
# item
return
1
return
1
# Disallow spoofing
# Disallow spoofing
if
type
(
self
)
is
not
set
:
if
type
(
self
)
is
not
expected_type
:
return
0
return
0
if
getattr
(
value
,
'__name__'
,
None
)
!=
name
:
if
getattr
(
value
,
'__name__'
,
None
)
!=
name
:
return
0
return
0
return
_set_white_get
(
name
,
0
)
return
white_list_dict
.
get
(
name
,
0
)
return
_check_access
_set_white_dict
=
{
'add'
:
1
,
'clear'
:
1
,
'copy'
:
1
,
'difference'
:
1
,
'difference_update'
:
1
,
'discard'
:
1
,
'intersection'
:
1
,
'intersection_update'
:
1
,
'isdisjoint'
:
1
,
'issubset'
:
1
,
'issuperset'
:
1
,
'pop'
:
get_set_pop
,
'remove'
:
1
,
'symmetric_difference'
:
1
,
'symmetric_difference_update'
:
1
,
'union'
:
1
,
'update'
:
1
}
ContainerAssertions
[
set
]
=
_check_
set_access
ContainerAssertions
[
set
]
=
_check_
access_wrapper
(
set
,
_set_white_dict
)
ContainerAssertions
[
frozenset
]
=
1
ContainerAssertions
[
frozenset
]
=
1
from
collections
import
OrderedDict
from
collections
import
OrderedDict
OrderedDict
.
__allow_access_to_unprotected_subobjects__
=
1
ModuleSecurityInfo
(
'collections'
).
declarePublic
(
'OrderedDict'
)
from
AccessControl
import
allow_module
,
allow_class
,
allow_type
from
collections
import
defaultdict
from
AccessControl
import
ModuleSecurityInfo
ModuleSecurityInfo
(
'collections'
).
declarePublic
(
'defaultdict'
)
from
AccessControl.ZopeGuards
import
_dict_white_list
# Attributes cannot be set on defaultdict, thus modify 'safetype' dict
# (closure) directly to ignore defaultdict like dict/list
from
RestrictedPython.Guards
import
full_write_guard
ContainerAssertions
[
defaultdict
]
=
_check_access_wrapper
(
defaultdict
,
_dict_white_list
)
full_write_guard
.
func_closure
[
1
].
cell_contents
.
__self__
[
defaultdict
]
=
True
# In contrary to builtins such as dict/defaultdict, it is possible to set
# attributes on OrderedDict instances, so only allow setitem/delitem
ContainerAssertions
[
OrderedDict
]
=
_check_access_wrapper
(
OrderedDict
,
_dict_white_list
)
OrderedDict
.
__guarded_setitem__
=
OrderedDict
.
__setitem__
.
__func__
OrderedDict
.
__guarded_delitem__
=
OrderedDict
.
__delitem__
.
__func__
# given as example in Products.PythonScripts.module_access_examples
# given as example in Products.PythonScripts.module_access_examples
allow_module
(
'base64'
)
allow_module
(
'base64'
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment