New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
re #60: remove duplicate guard against * imports #65
Conversation
Contrary to the ticket rationale, this doesn't even rely on a guard in a current enough version of RestrictedPython as even SecurityManager.validate will raise Unauthorized if '*' is in the from-list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need a minimum version of RestrictedPython
?
@@ -67,6 +67,9 @@ def testPublicModule(self): | |||
self.assertAuth('AccessControl.tests.public_module.submodule', | |||
('pub',)) | |||
|
|||
def test_star_import_not_allowed(self): | |||
self.assertUnauth('AccessControl.tests.public_module', ('*',)) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the difference to the next test (test_public_module_asterisk_not_allowed
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was a left-over from some experimentation, I've backed it out now.
@icemac: We don't need a more recent minimum version of RestrictedPython since the guard against * imports doesn't even rely on it. This is actually the point of the test that I had doubled in the first commit to this PR; these tests refer to the AccessControl guard only, which is already enough to block * imports (by virtue of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Contrary to the ticket rationale, this doesn't even rely on a guard in a
current enough version of RestrictedPython as even SecurityManager.validate
will raise Unauthorized if '*' is in the from-list.
fixes #60