patches/Restricted: properly support StringIO

Our patch was wrong, it caused guarded_getattr to always allow attributes of not protected instances of old-style classes. While this look like a severe security hole, I don't we are using any sensitive non protected instances Because cStringIO.StringIO("initial value") makes a read-only StringIO using another type, this was not supported.

patches/Restricted: properly support StringIO
Our patch was wrong, it caused guarded_getattr to always allow attributes of not protected instances of old-style classes. While this look like a severe security hole, I don't we are using any sensitive non protected instances Because cStringIO.StringIO("initial value") makes a read-only StringIO using another type, this was not supported.
5b995163 · Jérome Perrin · 900a9c1c · 5b995163 · 5b995163
Commit 5b995163 authored Apr 01, 2020 by Jérome Perrin
2 changed files
--- a/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testRestrictedPythonSecurity.py
+++ b/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testRestrictedPythonSecurity.py
@@ -417,6 +417,43 @@ class TestRestrictedPythonSecurity(ERP5TypeTestCase):
        expected=1
    )
+  def test_StringIO(self):
+    self.createAndRunScript(
+        textwrap.dedent('''\
+          import StringIO
+          s = StringIO.StringIO()
+          s.write("ok")
+          return s.getvalue()
+          '''),
+        expected="ok"
+    )
+    self.createAndRunScript(
+        textwrap.dedent('''\
+          import StringIO
+          return StringIO.StringIO("ok").getvalue()
+          '''),
+        expected="ok"
+    )
+  def test_cStringIO(self):
+    self.createAndRunScript(
+        textwrap.dedent('''\
+          import cStringIO
+          s = cStringIO.StringIO()
+          s.write("ok")
+          return s.getvalue()
+          '''),
+        expected="ok"
+    )
+    self.createAndRunScript(
+        textwrap.dedent('''\
+          import cStringIO
+          return cStringIO.StringIO("ok").getvalue()
+          '''),
+        expected="ok"
+    )
 def test_suite():
  suite = unittest.TestSuite()
  suite.addTest(unittest.makeSuite(TestRestrictedPythonSecurity))

--- a/product/ERP5Type/patches/Restricted.py
+++ b/product/ERP5Type/patches/Restricted.py
@@ -258,13 +258,14 @@ allow_type(type(re.compile('')))
 allow_type(type(re.match('x','x')))
 allow_type(type(re.finditer('x','x')))
-import cStringIO, StringIO
-f_cStringIO = cStringIO.StringIO()
-f_StringIO = StringIO.StringIO()
-allow_module('cStringIO')
 allow_module('StringIO')
-allow_type(type(f_cStringIO))
+import StringIO
-allow_type(type(f_StringIO))
+StringIO.StringIO.__allow_access_to_unprotected_subobjects__ = 1
+allow_module('cStringIO')
+import cStringIO
+allow_type(cStringIO.InputType)
+allow_type(cStringIO.OutputType)
 ModuleSecurityInfo('cgi').declarePublic('escape', 'parse_header')
 allow_module('datetime')