[Checkins] SVN: five.pt/trunk/ Use secure moduler importer for both Zope 2 and 3 template classes.
Malthe Borch
mborch at gmail.com
Mon Aug 1 02:40:42 EDT 2011
Log message for revision 122434:
Use secure moduler importer for both Zope 2 and 3 template classes.
Changed:
U five.pt/trunk/CHANGES.txt
U five.pt/trunk/setup.py
U five.pt/trunk/src/five/pt/expressions.py
U five.pt/trunk/src/five/pt/patches.py
-=-
Modified: five.pt/trunk/CHANGES.txt
===================================================================
--- five.pt/trunk/CHANGES.txt 2011-08-01 06:25:44 UTC (rev 122433)
+++ five.pt/trunk/CHANGES.txt 2011-08-01 06:40:42 UTC (rev 122434)
@@ -1,6 +1,11 @@
Changelog
=========
+In next release ...
+
+- Use secure moduler importer for both Zope 2 and 3 templates. This
+ fixes issue #34.
+
2.1.4 (2011-07-28)
~~~~~~~~~~~~~~~~~~
Modified: five.pt/trunk/setup.py
===================================================================
--- five.pt/trunk/setup.py 2011-08-01 06:25:44 UTC (rev 122433)
+++ five.pt/trunk/setup.py 2011-08-01 06:40:42 UTC (rev 122434)
@@ -1,6 +1,6 @@
from setuptools import setup, find_packages
-version = '2.1.4'
+version = '2.1.5dev'
setup(name='five.pt',
version=version,
@@ -27,6 +27,7 @@
'setuptools',
'z3c.pt>=2.1',
'sourcecodegen',
+ 'Chameleon>2.2',
],
entry_points="""
[z3c.autoinclude.plugin]
Modified: five.pt/trunk/src/five/pt/expressions.py
===================================================================
--- five.pt/trunk/src/five/pt/expressions.py 2011-08-01 06:25:44 UTC (rev 122433)
+++ five.pt/trunk/src/five/pt/expressions.py 2011-08-01 06:40:42 UTC (rev 122434)
@@ -214,9 +214,6 @@
(name, static(builtin)) for (name, builtin) in utility_builtins.items()
))
- builtins['modules'] = template("cls()", cls=Symbol(
- ZRPythonExpr._SecureModuleImporter), mode="eval")
-
def rewrite(self, node):
if node.id == 'repeat':
node.id = 'wrapped_repeat'
Modified: five.pt/trunk/src/five/pt/patches.py
===================================================================
--- five.pt/trunk/src/five/pt/patches.py 2011-08-01 06:25:44 UTC (rev 122433)
+++ five.pt/trunk/src/five/pt/patches.py 2011-08-01 06:40:42 UTC (rev 122434)
@@ -15,6 +15,7 @@
from AccessControl.SecurityInfo import ClassSecurityInfo
from App.class_init import InitializeClass
from Products.PageTemplates.Expressions import getEngine
+from Products.PageTemplates import ZRPythonExpr
from chameleon.tales import StringExpr
from chameleon.tales import NotExpr
@@ -64,23 +65,28 @@
def cook(self):
engine = self.pt_getEngine()
- filename = getattr(self, 'filename', None)
+ filename = getattr(self, 'filename', None) or \
+ getattr(self, '_filename', None)
if engine is getEngine():
expression_types = _secure_expression_types
else:
expression_types = _expression_types
+ extra_builtins = {
+ 'modules': ZRPythonExpr._SecureModuleImporter()
+ }
+
if filename is None:
program = ChameleonPageTemplate(
self._text, keep_body=True,
expression_types=expression_types,
- encoding='utf-8')
+ encoding='utf-8', extra_builtins=extra_builtins)
else:
program = ChameleonPageTemplateFile(
filename, keep_body=True,
expression_types=expression_types,
- encoding='utf-8')
+ encoding='utf-8', extra_builtins=extra_builtins)
self._v_program = program
self._v_macros = program.macros
More information about the checkins
mailing list