[Python-checkins] python/dist/src/Lib rexec.py,1.34.10.1,1.34.10.2
gvanrossum@users.sourceforge.net
gvanrossum@users.sourceforge.net
Fri, 31 May 2002 14:17:55 -0700
Update of /cvsroot/python/python/dist/src/Lib
In directory usw-pr-cvs1:/tmp/cvs-serv699/Lib
Modified Files:
Tag: release22-maint
rexec.py
Log Message:
Backport to 2.2.x:
SF bug 533625 (Armin Rigo). rexec: potential security hole
If a rexec instance allows writing in the current directory (a common
thing to do), there's a way to execute bogus bytecode. Fix this by
not allowing imports from .pyc files (in a way that allows a site to
configure things so that .pyc files *are* allowed, if writing is not
allowed).
Index: rexec.py
===================================================================
RCS file: /cvsroot/python/python/dist/src/Lib/rexec.py,v
retrieving revision 1.34.10.1
retrieving revision 1.34.10.2
diff -C2 -d -r1.34.10.1 -r1.34.10.2
*** rexec.py 29 May 2002 23:44:50 -0000 1.34.10.1
--- rexec.py 31 May 2002 21:17:53 -0000 1.34.10.2
***************
*** 23,26 ****
--- 23,27 ----
import os
import ihooks
+ import imp
__all__ = ["RExec"]
***************
*** 84,87 ****
--- 85,91 ----
self.rexec = rexec
+ def get_suffixes(self):
+ return self.rexec.get_suffixes()
+
def is_builtin(self, name):
return self.rexec.is_builtin(name)
***************
*** 145,148 ****
--- 149,154 ----
nok_builtin_names = ('open', 'file', 'reload', '__import__')
+ ok_file_types = (imp.C_EXTENSION, imp.PY_SOURCE)
+
def __init__(self, hooks = None, verbose = 0):
"""Returns an instance of the RExec class.
***************
*** 204,208 ****
src = sys.modules[name]
else:
- import imp
src = imp.load_dynamic(name, filename, file)
dst = self.copy_except(src, [])
--- 210,213 ----
***************
*** 214,217 ****
--- 219,227 ----
# Helpers for RHooks
+
+ def get_suffixes(self):
+ return [item # (suff, mode, type)
+ for item in imp.get_suffixes()
+ if item[2] in self.ok_file_types]
def is_builtin(self, mname):