Duncan Booth wrote:
> Steven Bethard wrote:
>
>
>>Interestingly, I don't seem to be able to create a file object as a
>>class attribute in restricted mode:
>>
>>py> class C(object):
>>... def __init__(self):
>>... self.f = file('temp.txt', 'w')
>>...
>>py> eval('''[ cls for cls in
>>{}.__class__.__bases__[0].__subclasses__() if cls.__name__ ==
>>'C'][0]().f.write("stuff")''', dict(__builtins__=None)) Traceback
>>(most recent call last):
>> File "<interactive input>", line 1, in ?
>> File "<string>", line 0, in ?
>>AttributeError: 'C' object has no attribute 'f'
>>py> eval('''[ cls for cls in
>>{}.__class__.__bases__[0].__subclasses__() if cls.__name__ ==
>>'C'][0]().__dict__''', dict(__builtins__=None)) {}
>
> Weird. I copied and paste your class and eval exactly (apart from deleting
> the ... prompts) and it worked exactly as expected: writing 'stuff' to
> temp.txt. (Python 2.4)
So, I played around with this a little bit. If I start up a new
interpreter and type it in like above, I get the behavior you do. What
I had actually done (abbreviated) was:
py> class C(object):
... pass
...
py> class C(object):
... def __init__(self):
... self.f = file('temp.txt', 'w')
...
py> eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__()
if cls.__name__ == 'C'][0]().f.write("stuff")''', dict(__builtins__=None))
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "<string>", line 0, in ?
AttributeError: 'C' object has no attribute 'f'
And the problem with this is that both __main__.C objects are now
subclasses of object:
py> eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__()
if cls.__name__ == 'C']''', dict(__builtins__=None))
[<class '__main__.C'>, <class '__main__.C'>]
So I was getting the wrong __main__.C object. Sorry for the confusion!
Now, even using this technique, *your* code can't call the file constructor:
py> class C(object):
... def __init__(self):
... self.file = file
...
py> eval('''[ cls for cls in {}.__class__.__bases__[0].__subclasses__()
if cls.__name__ == 'C'][-1]().file("temp.txt", "w")''',
dict(__builtins__=None))
Traceback (most recent call last):
File "<interactive input>", line 1, in ?
File "<string>", line 0, in ?
IOError: file() constructor not accessible in restricted mode
But unless the person eval-ing your code *only* writes immaculate code I
can see that you can probably screw them. ;) I wonder why
__subclasses__ isn't a restricted attribute... Is it ever used for
something that isn't evil? ;)
STeVe
--
http://mail.python.org/mailman/listinfo/python-list
