List comprehension - NameError: name '_[1]' is not defined ?
mario ruggier
mario.ruggier at gmail.com
Thu Jan 15 17:21:02 EST 2009
On Jan 15, 10:35 pm, ajaksu <aja... at gmail.com> wrote:
> On Jan 15, 1:56 pm, mario ruggier <mario.rugg... at gmail.com> wrote:
>
> > As
> > I mentioned in another thread, the real application behind all this is
> > one of the *few* secure templating systems around. Some info on its
> > security is at:http://evoque.gizmojo.org/usage/restricted/
> > Tell you what, if you find a security hole there (via exposed template
> > source on a Domain(restricted=True) setup) I'll offer you a nice
> > dinner (including the beer!) somewhere, maybe at some py conference,
> > but even remotely if that is not feasible... ;-)
>
> If you could provide a bare-bones instance of your evaluator to test
> against, without using the whole evoque (I get DUMMY MODE ON from
> 'self.template.collection.domain.globals'), it'd be more interesting
> to try :)
OK! Here's a small script to make it easier...
Just accumulate any expression you can dream of,
and pass it to get_expr_template() to get the template,
and on that then call evoque()... i guess you'd have to
test with 0.3, but 0.4 (also runs on py3) is just
around the corner....
Let it rip... the beer'd be on me ;-!
# evoque_restricted_test.py
from os.path import abspath, join, dirname
from evoque import domain, template
import logging
# uncomment to hide the plentiful ERROR logs:
#logging_level = logging.CRITICAL
# set the base for for the defualt collection
DEFAULT_DIR = abspath("/")
# 3 -> renders, 4 -> raises any evaluation errors,
# see: http://evoque.gizmojo.org/usage/errors/
ERRORS=2
# a restricted domain instance
d = domain.Domain(DEFAULT_DIR, restricted=True, errors=ERRORS,
quoting='str')
count = 0
# utility to easily init a template from any expression
def get_expr_template(expr):
global count
count += 1
name = "test%s"%(count)
src = "${%s}" % (expr)
d.set_template(name, src=src, from_string=True)
return d.get_template(name)
# some test expressions
exprs = [
"open('test.txt', 'w')",
"getattr(int, '_' + '_abs_' + '_')",
"().__class__.mro()[1].__subclasses__()",
"inspect.func_globals['_'*2+'builtins'+'_'*2]",
]
# execute
for expr in exprs:
print
print expr
print get_expr_template(expr).evoque()
More information about the Python-list
mailing list