Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
E
erp5_rtl_support
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Romain Courteaud
erp5_rtl_support
Commits
8605209d
Commit
8605209d
authored
Sep 02, 2014
by
Arnaud Fontaine
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
RestrictedPython: Add permissions to use defaultdict and OrderedDict (collections module).
parent
73bc06bf
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
34 additions
and
15 deletions
+34
-15
product/ERP5Type/patches/Restricted.py
product/ERP5Type/patches/Restricted.py
+34
-15
No files found.
product/ERP5Type/patches/Restricted.py
View file @
8605209d
...
@@ -23,6 +23,8 @@ RestrictionMutator.checkName = RestrictionMutator.checkAttrName = \
...
@@ -23,6 +23,8 @@ RestrictionMutator.checkName = RestrictionMutator.checkAttrName = \
from
Acquisition
import
aq_acquire
from
Acquisition
import
aq_acquire
from
AccessControl
import
getSecurityManager
from
AccessControl
import
getSecurityManager
from
AccessControl
import
allow_module
,
allow_class
,
allow_type
from
AccessControl
import
ModuleSecurityInfo
from
AccessControl.ZopeGuards
import
(
safe_builtins
,
_marker
,
Unauthorized
,
from
AccessControl.ZopeGuards
import
(
safe_builtins
,
_marker
,
Unauthorized
,
aq_validate
,
guard
,
guarded_getattr
,
guarded_iter
,
SafeIter
,
NullIter
,
aq_validate
,
guard
,
guarded_getattr
,
guarded_iter
,
SafeIter
,
NullIter
,
ContainerAssertions
,
GuardedDictType
,
_dict_white_list
)
ContainerAssertions
,
GuardedDictType
,
_dict_white_list
)
...
@@ -113,34 +115,51 @@ def get_set_pop(s, name):
...
@@ -113,34 +115,51 @@ def get_set_pop(s, name):
return
v
return
v
return
guarded_pop
return
guarded_pop
_set_white_get
=
{
def
_check_access_wrapper
(
expected_type
,
white_list_dict
):
'add'
:
1
,
'clear'
:
1
,
'copy'
:
1
,
'difference'
:
1
,
'difference_update'
:
1
,
def
_check_access
(
name
,
value
):
'discard'
:
1
,
'intersection'
:
1
,
'intersection_update'
:
1
,
'isdisjoint'
:
1
,
# Check whether value is a method of expected type
'issubset'
:
1
,
'issuperset'
:
1
,
'pop'
:
get_set_pop
,
'remove'
:
1
,
'symmetric_difference'
:
1
,
'symmetric_difference_update'
:
1
,
'union'
:
1
,
'update'
:
1
}.
get
def
_check_set_access
(
name
,
value
):
# Check whether value is a set method
self
=
getattr
(
value
,
'__self__'
,
None
)
self
=
getattr
(
value
,
'__self__'
,
None
)
if
self
is
None
:
# item
if
self
is
None
:
# item
return
1
return
1
# Disallow spoofing
# Disallow spoofing
if
type
(
self
)
is
not
set
:
if
type
(
self
)
is
not
expected_type
:
return
0
return
0
if
getattr
(
value
,
'__name__'
,
None
)
!=
name
:
if
getattr
(
value
,
'__name__'
,
None
)
!=
name
:
return
0
return
0
return
_set_white_get
(
name
,
0
)
return
white_list_dict
.
get
(
name
,
0
)
return
_check_access
_set_white_dict
=
{
'add'
:
1
,
'clear'
:
1
,
'copy'
:
1
,
'difference'
:
1
,
'difference_update'
:
1
,
'discard'
:
1
,
'intersection'
:
1
,
'intersection_update'
:
1
,
'isdisjoint'
:
1
,
'issubset'
:
1
,
'issuperset'
:
1
,
'pop'
:
get_set_pop
,
'remove'
:
1
,
'symmetric_difference'
:
1
,
'symmetric_difference_update'
:
1
,
'union'
:
1
,
'update'
:
1
}
ContainerAssertions
[
set
]
=
_check_
set_access
ContainerAssertions
[
set
]
=
_check_
access_wrapper
(
set
,
_set_white_dict
)
ContainerAssertions
[
frozenset
]
=
1
ContainerAssertions
[
frozenset
]
=
1
from
collections
import
OrderedDict
from
collections
import
OrderedDict
OrderedDict
.
__allow_access_to_unprotected_subobjects__
=
1
ModuleSecurityInfo
(
'collections'
).
declarePublic
(
'OrderedDict'
)
from
AccessControl
import
allow_module
,
allow_class
,
allow_type
from
collections
import
defaultdict
from
AccessControl
import
ModuleSecurityInfo
ModuleSecurityInfo
(
'collections'
).
declarePublic
(
'defaultdict'
)
from
AccessControl.ZopeGuards
import
_dict_white_list
# Attributes cannot be set on defaultdict, thus modify 'safetype' dict
# (closure) directly to ignore defaultdict like dict/list
from
RestrictedPython.Guards
import
full_write_guard
ContainerAssertions
[
defaultdict
]
=
_check_access_wrapper
(
defaultdict
,
_dict_white_list
)
full_write_guard
.
func_closure
[
1
].
cell_contents
.
__self__
[
defaultdict
]
=
True
# In contrary to builtins such as dict/defaultdict, it is possible to set
# attributes on OrderedDict instances, so only allow setitem/delitem
ContainerAssertions
[
OrderedDict
]
=
_check_access_wrapper
(
OrderedDict
,
_dict_white_list
)
OrderedDict
.
__guarded_setitem__
=
OrderedDict
.
__setitem__
.
__func__
OrderedDict
.
__guarded_delitem__
=
OrderedDict
.
__delitem__
.
__func__
# given as example in Products.PythonScripts.module_access_examples
# given as example in Products.PythonScripts.module_access_examples
allow_module
(
'base64'
)
allow_module
(
'base64'
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment