[Zope-Checkins] CVS: Zope2 - DT_In.py:1.48.4.1 DT_Util.py:1.72.18.1

shane@digicool.com shane@digicool.com
Thu, 19 Apr 2001 18:52:48 -0400 (EDT)


Update of /cvs-repository/Zope2/lib/python/DocumentTemplate
In directory korak:/tmp/cvs-serv5490

Modified Files:
      Tag: RestrictedPythonBranch
	DT_In.py DT_Util.py 
Log Message:
Converting to use RestrictedPython but it's a work in progress



--- Updated File DT_In.py in package Zope2 --
--- DT_In.py	2001/04/13 19:31:42	1.48
+++ DT_In.py	2001/04/19 22:52:47	1.48.4.1
@@ -406,7 +406,8 @@
 __version__='$Revision$'[11:-2]
 
 from DT_Util import ParseError, parse_params, name_param, str
-from DT_Util import render_blocks, InstanceDict, ValidationError, VSEval, expr_globals
+from DT_Util import render_blocks, InstanceDict, ValidationError, \
+     RestrictedEval, expr_globals
 from string import find, atoi, join, split, lower
 import ts_regex
 from DT_InSV import sequence_variables, opt
@@ -445,10 +446,11 @@
             if sort=='sequence-item': self.sort=''
 
         if has_key('sort_expr'):
-            self.sort_expr=VSEval.Eval(args['sort_expr'], expr_globals)
+            self.sort_expr=RestrictedEval(args['sort_expr'], expr_globals)
 
         if has_key('reverse_expr'):
-            self.reverse_expr=VSEval.Eval(args['reverse_expr'], expr_globals)
+            self.reverse_expr=RestrictedEval(args['reverse_expr'],
+                                             expr_globals)
 
         if has_key('reverse'):
             self.reverse=args['reverse']

--- Updated File DT_Util.py in package Zope2 --
--- DT_Util.py	2001/01/22 16:36:16	1.72
+++ DT_Util.py	2001/04/19 22:52:47	1.72.18.1
@@ -87,7 +87,7 @@
 
 import regex, string, math, os
 from string import strip, join, atoi, lower, split, find
-import VSEval
+##import VSEval
 
 str=__builtins__['str'] # Waaaaa, waaaaaaaa needed for pickling waaaaa
 
@@ -157,32 +157,32 @@
         except: pass
     return 0
 
-def careful_getitem(md, mapping, key):
-    v=mapping[key]
+##def careful_getitem(md, mapping, key):
+##    v=mapping[key]
 
-    if type(v) is type(''): return v # Short-circuit common case
+##    if type(v) is type(''): return v # Short-circuit common case
 
-    validate=md.validate
-    if validate is None or validate(mapping,mapping,None,v,md): return v
-    raise ValidationError, key
-
-def careful_getslice(md, seq, *indexes):
-    v=len(indexes)
-    if v==2:
-        v=seq[indexes[0]:indexes[1]]
-    elif v==1:
-        v=seq[indexes[0]:]
-    else: v=seq[:]
-
-    if type(seq) is type(''): return v # Short-circuit common case
-
-    validate=md.validate
-    if validate is not None:
-        for e in v:
-            if not validate(seq,seq,None,e,md):
-                raise ValidationError, 'unauthorized access to slice member'
+##    validate=md.validate
+##    if validate is None or validate(mapping,mapping,None,v,md): return v
+##    raise ValidationError, key
+
+##def careful_getslice(md, seq, *indexes):
+##    v=len(indexes)
+##    if v==2:
+##        v=seq[indexes[0]:indexes[1]]
+##    elif v==1:
+##        v=seq[indexes[0]:]
+##    else: v=seq[:]
+
+##    if type(seq) is type(''): return v # Short-circuit common case
+
+##    validate=md.validate
+##    if validate is not None:
+##        for e in v:
+##            if not validate(seq,seq,None,e,md):
+##                raise ValidationError, 'unauthorized access to slice member'
 
-    return v
+##    return v
 
 def careful_range(md, iFirst, *args):
     # limited range function from Martijn Pieters
@@ -309,29 +309,89 @@
 d['reorder']=reorder
 
 
+class DTMLGuard:
+    _md = None
+
+    def __init__(self, ob):
+        self._ob = ob
+
+    def __getattr__(self, name):
+        if name[:1]!='_':
+            inst = self._ob
+            # Try to get the attribute normally so that we don't
+            # accidentally acquire when we shouldn't.
+            try: v=getattr(inst, name)
+            except:
+                if default is not _marker:
+                    return default
+                raise
+            md = self._md
+            validate = md.validate
+            if validate is None:
+                return v
+            if hasattr(inst, 'aq_acquire'):
+                return inst.aq_acquire(name, validate, md)
+            if validate(inst, inst, name, v, md):
+                return v
+        raise ValidationError, name
+
+    def __len__(self):
+        return len(self._ob)
+
+    def __getitem__(self, key):
+        mapping = self._ob
+        v = mapping[key]
+        if type(v) is type(''):
+            return v # Short-circuit common case
+        md = self._md
+        validate = md.validate
+        if validate is None or validate(mapping, mapping, None, v, md):
+            return v
+        raise ValidationError, key
+
+    def __getslice__(self, lo, hi):
+        seq = self._ob
+        v = seq[lo:hi]
+        if type(seq) is type(''):
+            return v # Short-circuit common case
+        md = self._md
+        validate = md.validate
+        if validate is not None:
+            for e in v:
+                if not validate(seq, seq, None, e, md):
+                    raise ValidationError, (
+                        'unauthorized access to slice member')
+        return v
+
 expr_globals={
     '__builtins__':{},
-    '__guarded_mul__':      VSEval.careful_mul,
-    '__guarded_getattr__':  careful_getattr,
-    '__guarded_getitem__':  careful_getitem,
-    '__guarded_getslice__': careful_getslice,
     }
 
-class Eval(VSEval.Eval):
-    
+from RestrictedPython.Eval import RestrictedEval
+
+class Eval(RestrictedEval):
+
     def eval(self, mapping):
-        d={'_vars': mapping, '_': mapping}
-        code=self.code
-        globals=self.globals
+        # Create a temporary subclass of DTMLGuard.
+        d = self.globals.copy()
+        class Guard (DTMLGuard): pass
+        Guard._md = mapping
+        d['_guard'] = Guard
+        d['_'] = mapping
+        code = self.code
         for name in self.used:
             __traceback_info__ = name
             try: d[name]=mapping.getitem(name,0)
             except KeyError:
-                if name=='_getattr':
-                    d['__builtins__']=globals
-                    exec compiled_getattr in d
-
-        return eval(code,globals,d)
+                # Swallow KeyErrors since the expression
+                # might not actually need the name.  If it
+                # does need the name, a NameError will occur.
+                pass
+
+        #print 'eval', str(self)
+        #for k in dir(code):
+        #    print '%s: %s' % (k, repr(getattr(code, k)))
+        return eval(code, d)
 
 
 def name_param(params,tag='',expr=0, attr='name', default_unnamed=1):