[Zope-Checkins] CVS: Zope/lib/python/Products/PageTemplates - Expressions.py:1.45 ZRPythonExpr.py:1.11

Tres Seaver tseaver at zope.com
Thu Jan 15 18:09:38 EST 2004


Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv24317/Products/PageTemplates

Modified Files:
	Expressions.py ZRPythonExpr.py 
Log Message:


  - Merge a number of entangled issues from 2.6 / 2.7 audit:

    Iteration over sequences could in some cases fail to check access 
    to an object obtained from the sequence. Subsequent checks (such 
    as for attributes access) of such an object would still be 
    performed, but it should not have been possible to obtain the 
    object in the first place.

    List and dictionary instance methods such as the get method of 
    dictionary objects were not security aware and could return an 
    object without checking access to that object. Subsequent checks 
    (such as for attributes access) of such an object would still be 
    performed, but it should not have been possible to obtain the 
    object in the first place.

    Use of "import as" in Python scripts could potentially rebind 
    names in ways that could be used to avoid appropriate security 
    checks.

    A number of newer built-ins were either unavailable in untrusted 
    code or did not perform adequate security checking.

    Unpacking via function calls, variable assignment, exception 
    variables and other contexts did not perform adequate security 
    checks, potentially allowing access to objects that should have 
    been protected.

    Class security was not properly intialized for PythonScripts, 
    potentially allowing access to variables that should be protected. 
    It turned out that most of the security assertions were in fact 
    activated as a side effect of other code, but this fix is still 
    appropriate to ensure that all security declarations are properly 
    applied.

    DTMLMethods with proxy rights could incorrectly transfer those 
    rights via acquisition when traversing to a parent object.


=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.44 => 1.45 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.44	Tue Nov  4 14:36:05 2003
+++ Zope/lib/python/Products/PageTemplates/Expressions.py	Thu Jan 15 18:09:06 2004
@@ -54,12 +54,7 @@
         from AccessControl import Unauthorized
     except ImportError:
         Unauthorized = "Unauthorized"
-    if hasattr(AccessControl, 'full_read_guard'):
-        from ZRPythonExpr import PythonExpr, _SecureModuleImporter, \
-             call_with_ns
-    else:
-        from ZPythonExpr import PythonExpr, _SecureModuleImporter, \
-             call_with_ns
+    from ZRPythonExpr import PythonExpr, _SecureModuleImporter, call_with_ns
 else:
     from PythonExpr import getSecurityManager, PythonExpr
     guarded_getattr = getattr
@@ -312,7 +307,7 @@
             # Skip directly to item access
             o = object[name]
             # Check access to the item.
-            if not validate(object, object, name, o):
+            if not validate(object, object, None, o):
                 raise Unauthorized, name
             object = o
             continue
@@ -367,7 +362,7 @@
                     raise
                 else:
                     # Check access to the item.
-                    if not validate(object, object, name, o):
+                    if not validate(object, object, None, o):
                         raise Unauthorized, name
         object = o
 


=== Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py 1.10 => 1.11 ===
--- Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py:1.10	Wed Aug 14 18:17:24 2002
+++ Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py	Thu Jan 15 18:09:06 2004
@@ -18,19 +18,18 @@
 
 __version__='$Revision$'[11:-2]
 
-from AccessControl import full_read_guard, full_write_guard, \
-     safe_builtins, getSecurityManager
-from AccessControl.ZopeGuards import guarded_getattr, guarded_getitem
+from AccessControl import safe_builtins
+from AccessControl.ZopeGuards import guarded_getattr, get_safe_globals
 from RestrictedPython import compile_restricted_eval
 from TALES import CompilerError
 
 from PythonExpr import PythonExpr
 
 class PythonExpr(PythonExpr):
-    _globals = {'__debug__': __debug__,
-                '__builtins__': safe_builtins,
-                '_getattr_': guarded_getattr,
-                '_getitem_': guarded_getitem,}
+    _globals = get_safe_globals()
+    _globals['_getattr_'] = guarded_getattr
+    _globals['__debug__' ] = __debug__
+
     def __init__(self, name, expr, engine):
         self.expr = expr = expr.strip().replace('\n', ' ')
         code, err, warn, use = compile_restricted_eval(expr, str(self))




More information about the Zope-Checkins mailing list