[Checkins] SVN: five.pt/trunk/ Wire in builtins as module imports. This has a semantic change in that the builtins are available only in the restricted python expression type.

Malthe Borch mborch at gmail.com
Thu Jul 21 03:25:43 EDT 2011 

Log message for revision 122308:
  Wire in builtins as module imports. This has a semantic change in that the builtins are available only in the restricted python expression type.

Changed:
  U   five.pt/trunk/CHANGES.txt
  U   five.pt/trunk/src/five/pt/expressions.py
  U   five.pt/trunk/src/five/pt/patches.py
  U   five.pt/trunk/src/five/pt/tests/locals.pt

-=-
Modified: five.pt/trunk/CHANGES.txt
===================================================================
--- five.pt/trunk/CHANGES.txt	2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/CHANGES.txt	2011-07-21 07:25:42 UTC (rev 122308)
@@ -3,6 +3,10 @@
 
 In next release ...
 
+- Wire in restricted python builtins as imports. Previously these were
+  added to the dynamic context.
+  [malthe]
+
 - Use the Python expression from the ``z3c.pt`` package for the
   trusted page template engine. This difference between this and the
   standard Python expression from Chameleon is that the pipe character

Modified: five.pt/trunk/src/five/pt/expressions.py
===================================================================
--- five.pt/trunk/src/five/pt/expressions.py	2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/src/five/pt/expressions.py	2011-07-21 07:25:42 UTC (rev 122308)
@@ -14,6 +14,7 @@
 from zope.contentprovider.interfaces import ContentProviderLookupError
 
 from RestrictedPython.RestrictionMutator import RestrictionMutator
+from RestrictedPython.Utilities import utility_builtins
 from RestrictedPython import MutatingWalker
 
 from AccessControl.ZopeGuards import guarded_getattr
@@ -50,6 +51,10 @@
                    TraversalError
 
 
+def static(obj):
+    return Static(template("obj", obj=Symbol(obj), mode="eval"))
+
+
 def render(ob, request):
     """Calls the object, possibly a document template, or just returns
     it if not callable.  (From Products.PageTemplates.Expressions.py)
@@ -187,20 +192,30 @@
     rm = RestrictionMutator()
     rt = RestrictionTransform()
 
-    def _dynamic_transform(node):
+    builtins = dict(
+        (name, static(builtin)) for (name, builtin) in utility_builtins.items()
+        )
+
+    def nt(self, node):
         if node.id == 'repeat':
             node.id = 'wrapped_repeat'
+        else:
+            node = self.builtins.get(node.id, node)
 
         return node
 
-    nt = NameLookupRewriteVisitor(_dynamic_transform)
-
     def parse(self, string):
         decoded = decode_htmlentities(string)
         node = ast24_parse(decoded, 'eval').node
         MutatingWalker.walk(node, self.rm)
         string = generate_code(node)
         value = super(UntrustedPythonExpr, self).parse(string)
+
+        # Run restricted python transform
         self.rt.visit(value)
-        self.nt.visit(value)
+
+        # Rewrite builtins
+        transform = NameLookupRewriteVisitor(self.nt)
+        transform.visit(value)
+
         return value

Modified: five.pt/trunk/src/five/pt/patches.py
===================================================================
--- five.pt/trunk/src/five/pt/patches.py	2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/src/five/pt/patches.py	2011-07-21 07:25:42 UTC (rev 122308)
@@ -15,7 +15,6 @@
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from App.class_init import InitializeClass
 from Products.PageTemplates.Expressions import getEngine
-from RestrictedPython.Utilities import utility_builtins
 
 from chameleon.tales import StringExpr
 from chameleon.tales import NotExpr
@@ -31,7 +30,6 @@
 from .expressions import UntrustedPythonExpr
 
 
-
 # Declare Chameleon's repeat dictionary public
 RepeatDict.security = ClassSecurityInfo()
 RepeatDict.security.declareObjectPublic()
@@ -70,10 +68,8 @@
 
     if engine is getEngine():
         expression_types = _secure_expression_types
-        builtins = utility_builtins
     else:
         expression_types = _expression_types
-        builtins = {}
 
     if filename is None:
         program = ChameleonPageTemplate(
@@ -86,8 +82,6 @@
             expression_types=expression_types,
             encoding='utf-8')
 
-    program._v_builtins = builtins
-
     self._v_program = program
     self._v_macros = program.macros
     self._v_cooked = 1
@@ -130,9 +124,6 @@
             context['wrapped_repeat'] = context['repeat']
             context['repeat'] = RepeatDict(self.repeat)
 
-            # Update context with applicable builtins
-            context.update(self.template._v_builtins)
-
             result = self.template.render(**context)
 
         self.stream.write(result)

Modified: five.pt/trunk/src/five/pt/tests/locals.pt
===================================================================
--- five.pt/trunk/src/five/pt/tests/locals.pt	2011-07-20 16:57:12 UTC (rev 122307)
+++ five.pt/trunk/src/five/pt/tests/locals.pt	2011-07-21 07:25:42 UTC (rev 122308)
@@ -7,6 +7,8 @@
     <div tal:replace="string:nothing:${nothing}" />
     <div tal:define="cgi python:modules['cgi']"
          tal:replace="python: dir(cgi)" />
-    <div tal:define="test nocall: test|nothing" tal:replace="python: test" />
-    <div tal:define="same nocall: same_type|nothing" tal:replace="python: same" />
+    <tal:error on-error="nothing">
+      <div tal:define="test python: test" tal:replace="python: test" />
+      <div tal:define="same python: same_type" tal:replace="python: same" />
+    </tal:error>
 </div>

More information about the checkins mailing list