Mercurial > genshi > genshi-test
diff genshi/template/eval.py @ 643:e5363d3c22d3 experimental-sandboxed
some more work on the sandbox
| author | aronacher |
|---|---|
| date | Wed, 26 Sep 2007 14:51:45 +0000 |
| parents | 1cf5fdfe7214 |
| children | e60298f5b17b |
line wrap: on
line diff
--- a/genshi/template/eval.py +++ b/genshi/template/eval.py @@ -28,7 +28,7 @@ from genshi.core import Markup from genshi.template.base import TemplateRuntimeError -from genshi.util import flatten +from genshi.util import flatten, safe_range __all__ = ['Code', 'Expression', 'Suite', 'LenientLookup', 'StrictLookup', 'Undefined', 'UndefinedError'] @@ -489,13 +489,14 @@ # underscores are valid we have to add __import__ here. UNSAFE_NAMES = ['file', 'open', 'eval', 'locals', 'globals', 'vars', 'help', 'quit', 'exit', 'input', 'raw_input', 'setattr', - 'delattr', 'reload', 'compile', 'range', 'type'] + 'delattr', 'reload', 'compile', 'type'] # XXX: provide a secure range function SECURE_BUILTINS = BUILTINS.copy() for _unsafe_name in UNSAFE_NAMES: del SECURE_BUILTINS[_unsafe_name] del _unsafe_name +SECURE_BUILTINS['range'] = safe_range CONSTANTS = frozenset(['False', 'True', 'None', 'NotImplemented', 'Ellipsis']) @@ -831,22 +832,6 @@ node = ast.CallFunc(ast.Name('_lookup_name'), func_args) return node - def visitGetattr(self, node): - if self.secure: - return ast.CallFunc(ast.Name('_lookup_attr'), [ - ast.Name('data'), self.visit(node.expr), - ast.Const(node.attrname) - ]) - return ASTTransformer.visitGetattr(self, node) - - def visitSubscript(self, node): - if self.secure: - return ast.CallFunc(ast.Name('_lookup_item'), [ - ast.Name('data'), self.visit(node.expr), - ast.Tuple([self.visit(sub) for sub in node.subs]) - ]) - return ASTTransformer.visitSubscript(self, node) - class ExpressionASTTransformer(TemplateASTTransformer): """Concrete AST transformer that implements the AST transformations needed