odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] tools: restrict available attributes

This commit is contained in:
Denis Ledoux 2014-09-15 11:55:53 +02:00
parent 9b1cdea223
commit b601015800
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
openerp/tools/safe_eval.py
View File

@ -42,6 +42,9 @@ __all__ = ['test_expr', 'safe_eval', 'const_eval']
# lp:703841), does import time.
_ALLOWED_MODULES = ['_strptime', 'time']
_UNSAFE_ATTRIBUTES = ['f_builtins', 'f_globals', 'f_locals', 'gi_frame',
'co_code', 'func_globals']
_CONST_OPCODES = set(opmap[x] for x in [
'POP_TOP', 'ROT_TWO', 'ROT_THREE', 'ROT_FOUR', 'DUP_TOP', 'DUP_TOPX',
'POP_BLOCK','SETUP_LOOP', 'BUILD_LIST', 'BUILD_MAP', 'BUILD_TUPLE',
@ -113,7 +116,7 @@ def assert_no_dunder_name(code_obj, expr):
.. note:: actually forbids every name containing 2 underscores
"""
for name in code_obj.co_names:
if "__" in name:
if "__" in name or name in _UNSAFE_ATTRIBUTES:
raise NameError('Access to forbidden name %r (%r)' % (name, expr))
def assert_valid_codeobj(allowed_codes, code_obj, expr):