[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ Added protection against the (small) risk that someone could mitate an

Jim Fulton jim at zope.com
Wed Oct 26 13:12:33 EDT 2005


Log message for revision 39644:
  Added protection against the (small) risk that someone could mitate an
  object through an augmented assignment (aka inplace) operator.
  
  Also added handling for generator expressions.
  

Changed:
  U   Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
  U   Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py

-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2005-10-26 17:12:30 UTC (rev 39643)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2005-10-26 17:12:32 UTC (rev 39644)
@@ -22,8 +22,10 @@
 
    - Collector #1233: port ZOPE_CONFIG patch from Zope 2.7 to Zope 2.8
 
-  After Zope 2.8.3
+  
 
+  Zope 2.8.4
+
     Bugs Fixed
 
       - Collector #1927:  Modified ZReST not to store rendered / warnings
@@ -33,6 +35,13 @@
       - Collector #1926: fixed a typo in _doAddUser when password
         encryption is enabled.
 
+      - If a content object implemented any in-place numeric operators, 
+        untrusted code could call them, thus modifying the content.
+
+      - If Python 2.4 is used, despite the fact that Python 2.4 is
+        unsupported, untrusted code could use generator expressions to
+        gain access to container items.
+
   Zope 2.8.3 (2005/10/18)
 
     Other

Modified: Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py	2005-10-26 17:12:30 UTC (rev 39643)
+++ Zope/branches/Zope-2_8-branch/lib/python/RestrictedPython/RestrictionMutator.py	2005-10-26 17:12:32 UTC (rev 39644)
@@ -47,6 +47,7 @@
 _getiter_name = ast.Name("_getiter_")
 _print_target_name = ast.Name("_print")
 _write_name = ast.Name("_write_")
+_inplacevar_name = ast.Name("_inplacevar_")
 
 # Constants.
 _None_const = ast.Const(None)
@@ -239,9 +240,9 @@
         #   for x in expr:
         # to
         #   for x in _getiter(expr):
+        #        # Note that visitListCompFor is the same thing.
         #
-        # Note that visitListCompFor is the same thing.  Exactly the same
-        # transformation is needed to convert
+        # Also for list comprehensions:
         #   [... for x in expr ...]
         # to
         #   [... for x in _getiter(expr) ...]
@@ -251,6 +252,15 @@
 
     visitListCompFor = visitFor
 
+    def visitGenExprFor(self, node, walker):
+        # convert
+        #   (... for x in expr ...)
+        # to
+        #   (... for x in _getiter(expr) ...)
+        node = walker.defaultVisitNode(node)
+        node.iter = ast.CallFunc(_getiter_name, [node.iter])
+        return node
+
     def visitGetattr(self, node, walker):
         """Converts attribute access to a function call.
 
@@ -365,8 +375,23 @@
         This could be a problem if untrusted code got access to a
         mutable database object that supports augmented assignment.
         """
-        node.node.in_aug_assign = True
-        return walker.defaultVisitNode(node)
+        if node.node.__class__.__name__ == 'Name':
+            node = walker.defaultVisitNode(node)
+            newnode = ast.Assign(
+                [ast.AssName(node.node.name, OP_ASSIGN)],
+                ast.CallFunc(
+                    _inplacevar_name,
+                    [ast.Const(node.op),
+                     ast.Name(node.node.name),
+                     node.expr,
+                     ]
+                    ),
+                )
+            newnode.lineno = node.lineno
+            return newnode
+        else:
+            node.node.in_aug_assign = True
+            return walker.defaultVisitNode(node)
 
     def visitImport(self, node, walker):
         """Checks names imported using checkName()."""



More information about the Zope-Checkins mailing list