[Python-Dev] Implementing restricted Python in Zope2

Nick Coghlan ncoghlan at gmail.com
Sat Jul 19 12:43:05 CEST 2008


Shane Hathaway wrote:
> ranjith kannikara wrote:
>> As a student I am not familiar with Restricted Python and python AST
>> implementation.And in need of help to start the Restricted Python
>> implementation.
> 
> Here is some context for Python-Dev.
> 
> RestrictedPython is a custom Python compiler that, when combined with a 
> restricted environment, provides a sandbox safe enough to allow 
> partly-trusted people to write and execute scripts on a Zope server.  It 
> has been used in Zope 2 for a long time and will have a future in Zope 
> 3.  The sandbox is more extensive than what the rexec module provides.
> 
> The safety of RestrictedPython has been validated in a somewhat formal 
> process with Python 2.4.  Ranjith is working to validate it with Python 
> 2.5.  He is first working to discover all changes between Python 2.4 and 
> 2.5 that might have affected the safety of a RestrictedPython sandbox. 
> Any changes to the AST, builtin functions, methods of builtin types, 
> etc., need to be evaluated for safety.

As others have noted, Python 2.4 didn't really have an AST - it had a 
concrete syntax tree that it called an AST.

Python 2.5 introduced an actual AST written in ASDL and the parsing and 
compilation process was rewritten on that basis.

The most relevant areas of the source tree to compare are the respective 
Parser subdirectories in 2.4 and 2.5:
http://svn.python.org/projects/python/branches/release24-maint/Parser/
http://svn.python.org/projects/python/branches/release25-maint/Parser/

The changes to symtable.c and compile.c in the Python subdirectory 
between the two versions are also highly relevant.

There may be other changes of relevance, but even going over just the 
changes I mentioned should keep you busy for quite a while (I don't 
think there was too much of the old compiler left once the AST compiler 
went into the tree).

It's easy to get a diff between files in the two versions using the 
read-only access to the SVN server:

   svn diff --old <Python 2.4 URL> --new <Python 2.5 URL>

(e.g. using the two parser directory URLs given above).

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
---------------------------------------------------------------
             http://www.boredomandlaziness.org


More information about the Python-Dev mailing list