Added protection against the (small) risk that someone could mitate an

object through an augmented assignment (aka inplace) operator. Also added handling for generator expressions.

Added protection against the (small) risk that someone could mitate an
object through an augmented assignment (aka inplace) operator. Also added handling for generator expressions.
ceef435d · Jim Fulton · 912a5266 · ceef435d · ceef435d
Commit ceef435d authored Oct 26, 2005 by Jim Fulton
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 5 deletions

doc/CHANGES.txt doc/CHANGES.txt +10 -1

lib/python/RestrictedPython/RestrictionMutator.py lib/python/RestrictedPython/RestrictionMutator.py +29 -4

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -22,7 +22,9 @@ Zope Changes

   - Collector #1233: port ZOPE_CONFIG patch from Zope 2.7 to Zope 2.8

-  After Zope 2.8.3
+  
+
+  Zope 2.8.4

    Bugs Fixed

@@ -33,6 +35,13 @@ Zope Changes
      - Collector #1926: fixed a typo in _doAddUser when password
        encryption is enabled.

+      - If a content object implemented any in-place numeric operators, 
+        untrusted code could call them, thus modifying the content.
+
+      - If Python 2.4 is used, despite the fact that Python 2.4 is
+        unsupported, untrusted code could use generator expressions to
+        gain access to container items.
+
  Zope 2.8.3 (2005/10/18)

    Other

--- a/lib/python/RestrictedPython/RestrictionMutator.py
+++ b/lib/python/RestrictedPython/RestrictionMutator.py
@@ -47,6 +47,7 @@ _getitem_name = ast.Name("_getitem_")
 _getiter_name = ast.Name("_getiter_")
 _print_target_name = ast.Name("_print")
 _write_name = ast.Name("_write_")
+_inplacevar_name = ast.Name("_inplacevar_")

 # Constants.
 _None_const = ast.Const(None)
@@ -239,9 +240,9 @@ class RestrictionMutator:
        #   for x in expr:
        # to
        #   for x in _getiter(expr):
+        #        # Note that visitListCompFor is the same thing.
        #
-        # Note that visitListCompFor is the same thing.  Exactly the same
-        # transformation is needed to convert
+        # Also for list comprehensions:
        #   [... for x in expr ...]
        # to
        #   [... for x in _getiter(expr) ...]
@@ -251,6 +252,15 @@ class RestrictionMutator:

    visitListCompFor = visitFor

+    def visitGenExprFor(self, node, walker):
+        # convert
+        #   (... for x in expr ...)
+        # to
+        #   (... for x in _getiter(expr) ...)
+        node = walker.defaultVisitNode(node)
+        node.iter = ast.CallFunc(_getiter_name, [node.iter])
+        return node
+
    def visitGetattr(self, node, walker):
        """Converts attribute access to a function call.

@@ -365,8 +375,23 @@ class RestrictionMutator:
        This could be a problem if untrusted code got access to a
        mutable database object that supports augmented assignment.
        """
-        node.node.in_aug_assign = True
-        return walker.defaultVisitNode(node)
+        if node.node.__class__.__name__ == 'Name':
+            node = walker.defaultVisitNode(node)
+            newnode = ast.Assign(
+                [ast.AssName(node.node.name, OP_ASSIGN)],
+                ast.CallFunc(
+                    _inplacevar_name,
+                    [ast.Const(node.op),
+                     ast.Name(node.node.name),
+                     node.expr,
+                     ]
+                    ),
+                )
+            newnode.lineno = node.lineno
+            return newnode
+        else:
+            node.node.in_aug_assign = True
+            return walker.defaultVisitNode(node)

    def visitImport(self, node, walker):
        """Checks names imported using checkName()."""