Log message for revision 127792: LP #1047318: Tighten import restrictions for restricted code.
Changed: U Zope/branches/2.12/doc/CHANGES.rst U Zope/branches/2.12/setup.py U Zope/branches/2.12/src/AccessControl/SecurityInfo.py U Zope/branches/2.12/src/AccessControl/ZopeGuards.py U Zope/branches/2.12/src/AccessControl/__init__.py U Zope/branches/2.12/src/AccessControl/tests/testModuleSecurity.py U Zope/branches/2.12/src/AccessControl/tests/testZopeGuards.py U Zope/branches/2.12/src/Products/PythonScripts/standard.py U Zope/branches/2.12/src/Products/PythonScripts/tests/testPythonScript.py -=- Modified: Zope/branches/2.12/doc/CHANGES.rst =================================================================== --- Zope/branches/2.12/doc/CHANGES.rst 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/doc/CHANGES.rst 2012-09-09 12:55:26 UTC (rev 127792) @@ -5,9 +5,11 @@ Change information for previous versions of Zope can be found at http://docs.zope.org/zope2/releases/. -2.12.24 (unreleased) +2.12.24 (2012-09-09) -------------------- +- LP #1047318: Tighten import restrictions for restricted code. + - Fix a bug in ZopeSecurityPolicy.py. Global variable `rolesForPermissionOn` could be overridden if `__role__` had custom rolesForPermissionOn. Modified: Zope/branches/2.12/setup.py =================================================================== --- Zope/branches/2.12/setup.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/setup.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -16,7 +16,7 @@ from setuptools import setup, find_packages, Extension setup(name='Zope2', - version='2.12.24dev', + version='2.12.24', url='http://www.zope.org', license='ZPL 2.1', description='Zope2 application server / web framework', Modified: Zope/branches/2.12/src/AccessControl/SecurityInfo.py =================================================================== --- Zope/branches/2.12/src/AccessControl/SecurityInfo.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/src/AccessControl/SecurityInfo.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -211,7 +211,9 @@ def secureModule(mname, *imp): modsec = _moduleSecurity.get(mname, None) if modsec is None: - return + if mname in _appliedModuleSecurity: + return sys.modules[mname] + return # no MSI, no module if imp: __import__(mname, *imp) Modified: Zope/branches/2.12/src/AccessControl/ZopeGuards.py =================================================================== --- Zope/branches/2.12/src/AccessControl/ZopeGuards.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/src/AccessControl/ZopeGuards.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -310,7 +310,7 @@ return list.sorted(iterable, cmp=None, key=None, reverse=False) safe_builtins['list'] = GuardedListType() - + class GuardedDictType: def __call__(self, *args, **kwargs): return dict(*args, **kwargs) @@ -329,20 +329,16 @@ safe_builtins['sum'] = guarded_sum def load_module(module, mname, mnameparts, validate, globals, locals): - modules = sys.modules while mnameparts: nextname = mnameparts.pop(0) if mname is None: mname = nextname else: mname = '%s.%s' % (mname, nextname) - nextmodule = modules.get(mname, None) - if nextmodule is None: - nextmodule = secureModule(mname, globals, locals) - if nextmodule is None: - return - else: - secureModule(mname) + # import (if not already imported) and check for MSI + nextmodule = secureModule(mname, globals, locals) + if nextmodule is None: # not allowed + return if module and not validate(module, module, nextname, nextmodule): return module = nextmodule @@ -440,7 +436,7 @@ def __idiv__(x, y): x /= y return x - + def __ifloordiv__(x, y): x //= y return x Modified: Zope/branches/2.12/src/AccessControl/__init__.py =================================================================== --- Zope/branches/2.12/src/AccessControl/__init__.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/src/AccessControl/__init__.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -26,11 +26,18 @@ from AccessControl.SecurityInfo import allow_module from AccessControl.SecurityInfo import allow_class from AccessControl.SimpleObjectPolicies import allow_type -from AccessControl.unauthorized import Unauthorized # XXX +from AccessControl.unauthorized import Unauthorized from AccessControl.ZopeGuards import full_write_guard from AccessControl.ZopeGuards import safe_builtins ModuleSecurityInfo('AccessControl').declarePublic('getSecurityManager') +# allow imports of utility_builtins + +for name in ('string', 'math', 'random', 'sets'): + ModuleSecurityInfo(name).setDefaultAccess('allow') + +ModuleSecurityInfo('DateTime').declarePublic('DateTime') + from AccessControl import DTML # XXX side effects? del DTML Modified: Zope/branches/2.12/src/AccessControl/tests/testModuleSecurity.py =================================================================== --- Zope/branches/2.12/src/AccessControl/tests/testModuleSecurity.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/src/AccessControl/tests/testModuleSecurity.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -42,6 +42,9 @@ from AccessControl.ZopeGuards import guarded_import guarded_import(module, fromlist=fromlist, level=level) + def test_unprotected_module(self): + self.assertUnauth('os', ()) + def testPrivateModule(self): self.assertUnauth('AccessControl.tests.private_module', ()) self.assertUnauth('AccessControl.tests.private_module', ('priv',)) Modified: Zope/branches/2.12/src/AccessControl/tests/testZopeGuards.py =================================================================== --- Zope/branches/2.12/src/AccessControl/tests/testZopeGuards.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/src/AccessControl/tests/testZopeGuards.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -761,10 +761,6 @@ g['__name__'] = __name__ # so classes can be defined in the script return code, g - def testPythonRealAC(self): - code, its_globals = self._compile("actual_python.py") - exec code in its_globals - # Compile code in fname, as restricted Python. Return the # compiled code, and a safe globals dict for running it in. # fname is the string name of a Python file; it must be found Modified: Zope/branches/2.12/src/Products/PythonScripts/standard.py =================================================================== --- Zope/branches/2.12/src/Products/PythonScripts/standard.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/src/Products/PythonScripts/standard.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -40,7 +40,7 @@ from DocumentTemplate.DT_Var import restructured_text from ZPublisher.HTTPRequest import record -security = ModuleSecurityInfo() +security = ModuleSecurityInfo('Products.PythonScripts.standard') security.declarePublic('special_formats', 'whole_dollars', Modified: Zope/branches/2.12/src/Products/PythonScripts/tests/testPythonScript.py =================================================================== --- Zope/branches/2.12/src/Products/PythonScripts/tests/testPythonScript.py 2012-09-09 11:13:26 UTC (rev 127791) +++ Zope/branches/2.12/src/Products/PythonScripts/tests/testPythonScript.py 2012-09-09 12:55:26 UTC (rev 127792) @@ -131,9 +131,6 @@ def testCollector2295(self): res = self._newPS('if False:\n pass\n#hi') - def testCollector2295(self): - res = self._newPS('if False:\n pass\n#hi') - def testReduce(self): res = self._newPS('return reduce(lambda x, y: x + y, [1,3,5,7])')() self.assertEqual(res, 16) _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins