[Checkins] SVN: five.pt/trunk/ Wire in builtins as module imports. This has a semantic change in that the builtins are available only in the restricted python expression type.
Malthe Borch
mborch at gmail.com
Thu Jul 21 03:25:43 EDT 2011
Log message for revision 122308:
Wire in builtins as module imports. This has a semantic change in that the builtins are available only in the restricted python expression type.
Changed:
U five.pt/trunk/CHANGES.txt
U five.pt/trunk/src/five/pt/expressions.py
U five.pt/trunk/src/five/pt/patches.py
U five.pt/trunk/src/five/pt/tests/locals.pt
-=-
Modified: five.pt/trunk/CHANGES.txt
===================================================================
--- five.pt/trunk/CHANGES.txt 2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/CHANGES.txt 2011-07-21 07:25:42 UTC (rev 122308)
@@ -3,6 +3,10 @@
In next release ...
+- Wire in restricted python builtins as imports. Previously these were
+ added to the dynamic context.
+ [malthe]
+
- Use the Python expression from the ``z3c.pt`` package for the
trusted page template engine. This difference between this and the
standard Python expression from Chameleon is that the pipe character
Modified: five.pt/trunk/src/five/pt/expressions.py
===================================================================
--- five.pt/trunk/src/five/pt/expressions.py 2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/src/five/pt/expressions.py 2011-07-21 07:25:42 UTC (rev 122308)
@@ -14,6 +14,7 @@
from zope.contentprovider.interfaces import ContentProviderLookupError
from RestrictedPython.RestrictionMutator import RestrictionMutator
+from RestrictedPython.Utilities import utility_builtins
from RestrictedPython import MutatingWalker
from AccessControl.ZopeGuards import guarded_getattr
@@ -50,6 +51,10 @@
TraversalError
+def static(obj):
+ return Static(template("obj", obj=Symbol(obj), mode="eval"))
+
+
def render(ob, request):
"""Calls the object, possibly a document template, or just returns
it if not callable. (From Products.PageTemplates.Expressions.py)
@@ -187,20 +192,30 @@
rm = RestrictionMutator()
rt = RestrictionTransform()
- def _dynamic_transform(node):
+ builtins = dict(
+ (name, static(builtin)) for (name, builtin) in utility_builtins.items()
+ )
+
+ def nt(self, node):
if node.id == 'repeat':
node.id = 'wrapped_repeat'
+ else:
+ node = self.builtins.get(node.id, node)
return node
- nt = NameLookupRewriteVisitor(_dynamic_transform)
-
def parse(self, string):
decoded = decode_htmlentities(string)
node = ast24_parse(decoded, 'eval').node
MutatingWalker.walk(node, self.rm)
string = generate_code(node)
value = super(UntrustedPythonExpr, self).parse(string)
+
+ # Run restricted python transform
self.rt.visit(value)
- self.nt.visit(value)
+
+ # Rewrite builtins
+ transform = NameLookupRewriteVisitor(self.nt)
+ transform.visit(value)
+
return value
Modified: five.pt/trunk/src/five/pt/patches.py
===================================================================
--- five.pt/trunk/src/five/pt/patches.py 2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/src/five/pt/patches.py 2011-07-21 07:25:42 UTC (rev 122308)
@@ -15,7 +15,6 @@
from AccessControl.SecurityInfo import ClassSecurityInfo
from App.class_init import InitializeClass
from Products.PageTemplates.Expressions import getEngine
-from RestrictedPython.Utilities import utility_builtins
from chameleon.tales import StringExpr
from chameleon.tales import NotExpr
@@ -31,7 +30,6 @@
from .expressions import UntrustedPythonExpr
-
# Declare Chameleon's repeat dictionary public
RepeatDict.security = ClassSecurityInfo()
RepeatDict.security.declareObjectPublic()
@@ -70,10 +68,8 @@
if engine is getEngine():
expression_types = _secure_expression_types
- builtins = utility_builtins
else:
expression_types = _expression_types
- builtins = {}
if filename is None:
program = ChameleonPageTemplate(
@@ -86,8 +82,6 @@
expression_types=expression_types,
encoding='utf-8')
- program._v_builtins = builtins
-
self._v_program = program
self._v_macros = program.macros
self._v_cooked = 1
@@ -130,9 +124,6 @@
context['wrapped_repeat'] = context['repeat']
context['repeat'] = RepeatDict(self.repeat)
- # Update context with applicable builtins
- context.update(self.template._v_builtins)
-
result = self.template.render(**context)
self.stream.write(result)
Modified: five.pt/trunk/src/five/pt/tests/locals.pt
===================================================================
--- five.pt/trunk/src/five/pt/tests/locals.pt 2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/src/five/pt/tests/locals.pt 2011-07-21 07:25:42 UTC (rev 122308)
@@ -7,6 +7,8 @@
<div tal:replace="string:nothing:${nothing}" />
<div tal:define="cgi python:modules['cgi']"
tal:replace="python: dir(cgi)" />
- <div tal:define="test nocall: test|nothing" tal:replace="python: test" />
- <div tal:define="same nocall: same_type|nothing" tal:replace="python: same" />
+ <tal:error on-error="nothing">
+ <div tal:define="test python: test" tal:replace="python: test" />
+ <div tal:define="same python: same_type" tal:replace="python: same" />
+ </tal:error>
</div>
More information about the checkins
mailing list