-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Whitelist urllib and urlparse modules (#13)
- Loading branch information
1 parent
af45495
commit 522cbc3
Showing
3 changed files
with
47 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
from collective.trustedimports.util import whitelist_module, wrap_protected, is_url_allowed | ||
from AccessControl import allow_class, ModuleSecurityInfo, ClassSecurityInfo, Unauthorized | ||
from AccessControl.class_init import InitializeClass | ||
from Products.PythonScripts.Utility import allow_module | ||
import urllib | ||
import urlparse | ||
|
||
ModuleSecurityInfo('urllib').declarePublic('quote') | ||
ModuleSecurityInfo('urlparse').declarePublic('urlparse') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
urllib | ||
=========== | ||
|
||
>>> teval("import urllib;return urllib.quote('châteu', safe='')") | ||
'ch%C3%A2teu' | ||
|
||
|
||
We also can parse with urlparse | ||
>>> print teval("from urlparse import urlparse;return urlparse('https://www.google.com/')") | ||
ParseResult... | ||
|
||
|
||
We cannot user other function of urllib, such as | ||
>>> teval("import urllib;urllib.urlopen('https://www.google.com')") | ||
Traceback (most recent call last): | ||
... | ||
Unauthorized: You are not allowed to access 'urlopen' in this context | ||
|
||
|
||
We cannot user other function of urlparse, such as | ||
>>> teval("from urlparse import urljoin; urljoin('http://www.cwi.nl/%7Eguido/Python.html', 'FAQ.html')") | ||
Traceback (most recent call last): | ||
... | ||
Unauthorized: You are not allowed to access 'urljoin' in this context | ||
|
||
|
||
We can use these functions in system python | ||
|
||
>>> import urllib | ||
>>> urllib.urlopen('https://www.google.com') | ||
<addinfourl at ... | ||
|
||
>>> from urlparse import urljoin | ||
>>> urljoin('http://www.cwi.nl/%7Eguido/Python.html', 'FAQ.html') | ||
'http://www.cwi.nl/%7Eguido/FAQ.html' | ||
|
||
|