Re: List comprehension - NameError: name '_[1]' is not defined ?

Thu, 15 Jan 2009 14:26:01 -0800 

On Jan 15, 10:35 pm, ajaksu <aja...@gmail.com> wrote:
> On Jan 15, 1:56 pm, mario ruggier <mario.rugg...@gmail.com> wrote:
>
> > As
> > I mentioned in another thread, the real application behind all this is
> > one of the *few* secure templating systems around. Some info on its
> > security is at:http://evoque.gizmojo.org/usage/restricted/
> > Tell you what, if you find a security hole there (via exposed template
> > source on a Domain(restricted=True) setup) I'll offer you a nice
> > dinner (including the beer!) somewhere, maybe at some py conference,
> > but even remotely if that is not feasible... ;-)
>
> If you could provide a bare-bones instance of your evaluator to test
> against, without using the whole evoque (I get DUMMY MODE ON from
> 'self.template.collection.domain.globals'), it'd be more interesting
> to try :)

OK! Here's a small script to make it easier...
Just accumulate any expression you can dream of,
and pass it to get_expr_template() to get the template,
and on that then call evoque()... i guess you'd have to
test with 0.3, but 0.4 (also runs on py3) is just
around the corner....

Let it rip... the beer'd be on me ;-!


# evoque_restricted_test.py

from os.path import abspath, join, dirname
from evoque import domain, template

import logging
# uncomment to hide the plentiful ERROR logs:
#logging_level = logging.CRITICAL

# set the base for for the defualt collection
DEFAULT_DIR = abspath("/")

# 3 -> renders, 4 -> raises any evaluation errors,
# see: http://evoque.gizmojo.org/usage/errors/
ERRORS=2

# a restricted domain instance
d = domain.Domain(DEFAULT_DIR, restricted=True, errors=ERRORS,
quoting='str')
count = 0

# utility to easily init a template from any expression
def get_expr_template(expr):
    global count
    count += 1
    name = "test%s"%(count)
    src = "${%s}" % (expr)
    d.set_template(name, src=src, from_string=True)
    return d.get_template(name)

# some test expressions
exprs = [
    "open('test.txt', 'w')",
    "getattr(int, '_' + '_abs_' + '_')",
    "().__class__.mro()[1].__subclasses__()",
    "inspect.func_globals['_'*2+'builtins'+'_'*2]",
]

# execute
for expr in exprs:
    print
    print expr
    print get_expr_template(expr).evoque()
--
http://mail.python.org/mailman/listinfo/python-list

Reply via email to