Fix README:

The wrong usage of `safe_builtins` allows access to the Python built-in `getattr` allowing all sorts of access.
zopefoundation · Oct 26, 2018 · bb93cd6 · bb93cd6
1 parent 719c096
commit bb93cd6
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/README.rst b/README.rst
@@ -25,7 +25,7 @@ This would not harm any system.
 .. code-block:: pycon
 
     >>> from RestrictedPython import compile_restricted
-    >>> from RestrictedPython import safe_builtins
+    >>> from RestrictedPython import safe_globals
     >>>
     >>> source_code = """
     ... def example():
@@ -34,7 +34,7 @@ This would not harm any system.
     >>>
     >>> loc = {}
     >>> byte_code = compile_restricted(source_code, '<inline>', 'exec')
-    >>> exec(byte_code, safe_builtins, loc)
+    >>> exec(byte_code, safe_globals, loc)
     >>>
     >>> loc['example']()
     'Hello World!'

diff --git a/src/RestrictedPython/Guards.py b/src/RestrictedPython/Guards.py
@@ -314,3 +314,6 @@ def guarded_unpack_sequence(it, spec, _getiter_):
         ret[idx] = guarded_unpack_sequence(ret[idx], child_spec, _getiter_)
 
     return ret
+
+
+safe_globals = {'__builtins__': safe_builtins}
diff --git a/src/RestrictedPython/__init__.py b/src/RestrictedPython/__init__.py
@@ -27,6 +27,7 @@
 
 # predefined builtins
 from RestrictedPython.Guards import safe_builtins  # isort:skip
+from RestrictedPython.Guards import safe_globals  # isort:skip
 from RestrictedPython.Limits import limited_builtins  # isort:skip
 from RestrictedPython.Utilities import utility_builtins  # isort:skip