[python-win32] python vs vbs with parental controls (security issue?)
Ross Boylan
RossBoylan at stanfordalumni.org
Thu Dec 17 06:21:34 CET 2009
Tim Golden wrote:
> Ross Boylan wrote:
>> Tim Golden wrote:
>>>
>>> <code>
>>> import wmi
>>>
>>> c = wmi.WMI (namespace="cimv2/Applications/WindowsParentalControls")
>>> rules = c.WpcURLOverride (Sid=kelsey.SID)
>>> print len (rules)
>>>
>>> </code>
>> I've encountered a glitch: I can't seem to update the values in the
>> rules I retrieve. The relevant snippet is
>> <python>
>> con = wmi.WMI(namespace=wpcns)
>> rules = con.WpcURLOverride (Sid=kelsey.SID)
>> for r in rules:
>> if r.URL.endswith("facebook.com/"):
>> # flip whether or not the site is allowed
>> r.Allowed = 3 - r.Allowed
>> r.Put_()
>> print r.URL, r.Allowed, "(%s)"%allowInterp(r.Allowed),
>> kelsey.name
>> </python>
>> This never changes the value of Allowed, even between the line where
>> it is set and printed out, much less between runs.
>
>
> Curious. FWIW, the Put_ shouldn't be necessary; the underlying
> setattr code does that for you. (Altho' it won't do any harm).
At least in VBS, Put_ was necessary. Allowed updated fine without it,
but the change did not persist.
>
> This WMI provider seems to be Vista+ (and I'm on XP).
I think Parental Controls is new with Vista. It is also unavailable on
server class systems, i.e, Windows 7 is the only other system that
currently does.
> I'll try
> to get hold of a Vista/W7 machine to check this out on. It's quite
> possible that there's a bug in the wmi module, not least because very
> few WMI classes actually allow direct updating. (The Win32_Service
> class, for example, exposes updates via a method). However, my
> unit test for this particular operation succeeds against the
> Win32_Environment instance.
>
> The underlying COM Object is held as the .ole_object attribute of
> the wmi instance (here: r) so as a workaround you could try: (untested)
>
> allowed = r.ole_object.Properties_ ("Allowed").Value
> r.ole_object.Properties_ ("Allowed").Value = 3 - allowed
> r.ole_object.Put_ ()
>
I tried that; it didn't help. The following code without the wmi module
works (eliding the code that got the kelsey object):
import win32com.client, sys
# would have been better to use raw strings r"...."
topns = "\\\\.\\root\\cimv2"
wpcns = topns + "\\Applications\\WindowsParentalControls"
locator = win32com.client.Dispatch("WbemScripting.SwbemLocator")
con = locator.ConnectServer(".", wpcns)
rules = con.InstancesOf("WpcURLOverride")
for r in rules:
if r.URL.endswith("facebook.com/") and r.SID == kelsey.SID:
# flip whether or not the site is allowed
print r.Allowed, 3-r.Allowed
r.Allowed = 3 - r.Allowed
r.Put_()
print r.URL, r.Allowed, "(%s)"%allowInterp(r.Allowed), kelsey.name
BTW, my attempts at limiting the scope of the queries with lines like
con.ExecQuery("select * from WpcURLOverride where SID = %s"%kelsey.SID)
always get syntax errors (from within com--the example above might not
be valid python, but it's like things that were valid!). Hence the
cumbersome procedure above.
The other parental controls-specific annoyance is that there doesn't
seem to be a way to make a new WpcURLOverride and insert it in the
list. The class itself (in its mof file) doesn't permit instantiation
(I tried anyway--didn't work), and I don't see any factory methods in
other parts of the subsystem.
Ross
More information about the python-win32
mailing list