diff options
Diffstat (limited to 'src/zope/pagetemplate/engine.py')
-rw-r--r-- | src/zope/pagetemplate/engine.py | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/src/zope/pagetemplate/engine.py b/src/zope/pagetemplate/engine.py index 662dbcd..9b61498 100644 --- a/src/zope/pagetemplate/engine.py +++ b/src/zope/pagetemplate/engine.py @@ -33,13 +33,17 @@ from zope.traversing.interfaces import TraversalError from zope import component -try: # pragma: no cover - # Until https://github.com/zopefoundation/zope.untrustedpython/issues/2 - # is fixed Python 3 does not support special handling for untrusted code: +try: + # The ``untrusted`` extra is needed to have zope.untrustedpython: from zope.untrustedpython import rcompile from zope.untrustedpython.builtins import SafeBuiltins + + def guarded_getitem(ob, index): + """getitem access which gets guarded in the next line.""" + return ob[index] + guarded_getitem = ProxyFactory(guarded_getitem) HAVE_UNTRUSTED = True -except ImportError: +except ImportError: # pragma: no cover HAVE_UNTRUSTED = False # PyPy doesn't support assigning to '__builtins__', even when using eval() @@ -128,6 +132,8 @@ class ZopePythonExpr(PythonExpr): def __call__(self, econtext): __traceback_info__ = self.text vars = self._bind_used_names(econtext, SafeBuiltins) + vars['_getattr_'] = SafeBuiltins.getattr + vars['_getitem_'] = guarded_getitem return eval(self._code, vars) def _compile(self, text, filename): @@ -363,14 +369,15 @@ class ZopeEngine(ZopeBaseEngine): wrapped in security proxies if the 'untrusted' extra is installed:: >>> r = context.evaluate('python: {12: object()}.values') - >>> str(type(r).__name__) in ( - ... ('_Proxy',) if HAVE_UNTRUSTED else - ... ('builtin_function_or_method', 'method', 'instancemethod')) + >>> str(type(r).__name__) if HAVE_UNTRUSTED else '_Proxy' + '_Proxy' + >>> ((str(type(r).__name__) in ('method', 'instancemethod')) + ... if not HAVE_UNTRUSTED else True) True - >>> r = context.evaluate('python: {12: object()}[12].__class__') - >>> str(type(r).__name__) == '_Proxy' or not HAVE_UNTRUSTED - True + >>> r = context.evaluate('python: {12: (1, 2, 3)}[12]') + >>> str(type(r).__name__) if HAVE_UNTRUSTED else '_Proxy' + '_Proxy' General path expressions provide objects that are wrapped in security proxies as well:: |