Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

re #60: remove duplicate guard against * imports #65

Merged
merged 2 commits into from Oct 3, 2018
Merged

re #60: remove duplicate guard against * imports #65

merged 2 commits into from Oct 3, 2018

Conversation

tlotze
Copy link
Member

@tlotze tlotze commented Oct 2, 2018
edited by icemac

Contrary to the ticket rationale, this doesn't even rely on a guard in a
current enough version of RestrictedPython as even SecurityManager.validate
will raise Unauthorized if '*' is in the from-list.

fixes #60

@tlotze
re #60: remove duplicate guard against * imports
b20a380 
Contrary to the ticket rationale, this doesn't even rely on a guard in a
current enough version of RestrictedPython as even SecurityManager.validate
will raise Unauthorized if '*' is in the from-list.
@tlotze tlotze requested a review from icemac October 2, 2018 13:17
icemac
icemac reviewed Oct 2, 2018
View reviewed changes
Copy link
Member

@icemac icemac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we need a minimum version of RestrictedPython?

src/AccessControl/tests/testModuleSecurity.py Outdated
@@ -67,6 +67,9 @@ def testPublicModule(self):
self.assertAuth('AccessControl.tests.public_module.submodule',
('pub',))

def test_star_import_not_allowed(self):
self.assertUnauth('AccessControl.tests.public_module', ('*',))

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the difference to the next test (test_public_module_asterisk_not_allowed)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was a left-over from some experimentation, I've backed it out now.

@tlotze
Copy link
Member Author

tlotze commented Oct 3, 2018

@icemac: We don't need a more recent minimum version of RestrictedPython since the guard against * imports doesn't even rely on it. This is actually the point of the test that I had doubled in the first commit to this PR; these tests refer to the AccessControl guard only, which is already enough to block * imports (by virtue of validate).

icemac
icemac approved these changes Oct 3, 2018
View reviewed changes
Copy link
Member

@icemac icemac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@tlotze tlotze merged commit d66b328 into master Oct 3, 2018
@tlotze tlotze deleted the re-60-simplify-import-guard branch October 3, 2018 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@icemac icemac icemac approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ZopeGuards.guarded_import can be simplified when using RestrictedPython >= 4.0b4
2 participants
@tlotze @icemac