[#636769] Fix for major rexec bugs
* Lib/rexec.py
(FileBase): Added 'xreadlines' and '__iter__' to allowed file methods.
(FileWrapper.__init__): Removed unnecessary self.f variable, which gave
direct access to the file object.
(RExec): Added 'xreadlines' and '_weakref' to allowed modules.
(RExec.r_open): Convert string subclasses to a real string classes
before doing comparisons with mode parameter.
* Lib/ihooks.py
(BasicModuleImporter.import_module/reload/unload): Convert the module
name to a real string before working with it.
(ModuleImporter.import_module/import_it/reload): Convert the module
name to a real strings before working with it.
* Misc/NEWS
Document the change.
Using the suggestion there: add_module() forces __builtin__ back; this
fixes r_exec, r_eval, r_execfile. The interactive console had to be
fixed separately, because it doesn't use r_exec, but relies on the
'locals' dict having the right __builtins__. Fixed this by
subclassing InteractiveConsole and overriding runcode(), which does
the exec. This changes the banner output slightly: instead of
starting with *** RESTRICTED ***, a subtler (RestrictedConsole) is
printed before the first >>> prompt.
Also import readline (if it exists) when the interactive console is
used, for more convenient input editing and history.
This does not mean that rexec is now considered safe! But for those
willing to take the risk, it's safer than before. (Note that a safety
analysis of the code module would be wise if you plan to use the
interactive console for real -- I've only ever used it to play with
restricted mode.)
This should be backported to 2.2 and 2.1.
If a rexec instance allows writing in the current directory (a common
thing to do), there's a way to execute bogus bytecode. Fix this by
not allowing imports from .pyc files (in a way that allows a site to
configure things so that .pyc files *are* allowed, if writing is not
allowed).
I'll apply this to 2.2 and 2.1 too.
just by doing type(f) where f is any file object. This left a hole in
restricted execution mode that rexec.py can't plug by itself (although it
can plug part of it; the rest is plugged in fileobject.c now).
also modified check_all function to suppress all warnings since they aren't
relevant to what this test is doing (allows quiet checking of regsub, for
instance)
(2) Made the test script a bit fancier -- you can now use it to run
arbitrary scripts in restricted mode, and it will do the right thing.
(The interactive mode is still pretty lame; should integrate this with
code.interact().)
unmarshalling code is actually rather naive and can easily be
caused to crash by feeding it invalid data. This should be fixed in
the marshal module, but I don't have the time to fix it now :-(
Change RHooks() interface to not require a 'rexec' instance argument;
added set_rexec() method instead (which must be called by the RExec
instance using this RHooks instance).
Support dynamic loading of modules, at least for those modules that
are ok built-in modules. Added new interfaces set_trusted_path() and
load_dynamic() to RExec class (the default trusted path consists of
all absolute pathnames in sys.path).
Change copy_except() to actually try to delete the exceptions.
Guido van Rossum
Gustavo Niemeyer
Fred Drake
Jeremy Hylton
Raymond Hettinger
Tim Peters
Skip Montanaro