[Zope] Python Script limit in range()

Martijn Pieters mj@digicool.com
Wed, 14 Mar 2001 14:14:51 +0100 

On Wed, Mar 14, 2001 at 12:43:55PM -0000, Peter Bengtsson wrote:
> A simple Script (Python) of mine:
> Id: randomtext_pys
> Title: Returns a random text
> <params>length=500</params>
> [code]
> import string
> import random
> text=''
> 
> pool = "qwertyuioplkjhgfdsazxcvbnm 1234567890 \n"
> 
> for i in range(int(length)):
>   text='%s%s'%(text,pool[random.randint(0,(len(pool)-1))])
> 
> return text
> [/code]
> 
> When I test this script within the management interface of Python Scripts
> everything looks good and I can enter values of "length" like 100 to 10 000.
> However, when I call this script from a DTML Method like this:
> <dtml-var "randomtext_pys(1000)"> it throws an error at me.
> <dtml-var "randomgtext_pys(500)"> and <dtml-var "randomgtext_pys(999)">
> works fine.
> 
> Error Type: ValueError
> Error Value: range() too large
> 
> (traceback below)
> 
> So according to the traceback the error you find this:
> 
> ----------- lib/python/DocumentTemplate/DT_Util.py ------------
> def careful_range(md, iFirst, *args):
>     # limited range function from Martijn Pieters
>     RANGELIMIT = 1000
>     if not len(args):
>         iStart, iEnd, iStep = 0, iFirst, 1
>     elif len(args) == 1:
>         iStart, iEnd, iStep = iFirst, args[0], 1
>     elif len(args) == 2:
>         iStart, iEnd, iStep = iFirst, args[0], args[1]
>     else:
>         raise AttributeError, 'range() requires 1-3 int arguments'
>     if iStep == 0: raise ValueError, 'zero step for range()'
>     iLen = int((iEnd - iStart) / iStep)
>     if iLen < 0: iLen = 0
>     if iLen >= RANGELIMIT: raise ValueError, 'range() too large'
>     return range(iStart, iEnd, iStep)
> -------------------------------------------------------------------
> 
> WHY is that LIMIT there?
> I can mod my Python Script to accomodate for the value of 1000, but I am
> just curious of it.

I wrote that code originally for DTML, in the days before I worked for DC.
You can tell by the variable names I used; I still had too much Microsoft
influence on me... ;)

Orginially, the safe Python environment created for DTML couldn't do any
range at all. In a mailinglist discussion on why this was so, I wrote the
above code and someone at DC (I believe it was Amos) incorporated it into
Zope.

The idea of DTML expressions and Python Script is that you can do powerful
scripting of a Zope server through the web without opening up your server
to security breaches and denial-of-service (DOS) attacks. Limiting the
number of items resulting from a range() call is but one way of limiting
the possibilies of DOS attacks. If you look through the file you found
this sinippet in, you'll find more careful_* methods for other operations.

If you are interested in the original thread; you'll find it here:

  http://lists.zope.org/pipermail/zope/1999-March/086690.html

-- 
Martijn Pieters
| Software Engineer  mailto:mj@digicool.com
| Digital Creations  http://www.digicool.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------