Safe Python, chapter II

Steven D. Majewski (sdm7g@virginia.edu)
Fri, 6 Jan 1995 16:02:36 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"
Previous message: Quentin Stafford-Fraser: "Newslist 1.9"
Next in thread: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"

Guido's modifications to import, exposing it to (python) user-level
modification was the first requirement for the planned Safe-Python
mods ( as well as for packages, remote import and several other
new features. )

At the workshop (and later), we had discussed the other part being
some changes to exec to explicitly pass a replacement "builtin"
module. I had not looked further at this bit, as it was one of
the thirty or fourty tasks that Guido has said that HE would do
himself ... Real Soon ... :-) However, looking at it now, I see
that either it's not quite as simple and local a fix as we had
then thought, or else Guido was anticipating it working rather
differently than I had.

Here is the main bit of python's two-and-a-half levels of scope
implementation from Python/ceval.c byte-code interpreter loop:

case LOAD_NAME:
w = GETNAMEV(oparg);
x = dict2lookup(f->f_locals, w);
if (x == NULL) {
err_clear();
x = dict2lookup(f->f_globals, w);
if (x == NULL) {
err_clear();
x = getbuiltin(w);

i.e. lookup name in locals
if not found, lookup name in globals
if not found, lookup name in builtins.

For static binding of the builtin module definitions - i.e. for
the one in place when the modules functions were defined to be
"latched" onto, we need to treat builtin pretty much the same
as we do the globals:

o function need an additional attribute slot for func_builtins
as well as func_globals.
o ceval need to get that slot and copy it into the current frame
( replacing 'getbuiltin' with access to THAT "builtin" dict. )
o exec still needs that additional arg to specify builtin dict -
that is what's needed for "safe-import" to cause evaluation of
an imported module with the alternate builtin dict bindings,
so that functions defined in that modules will bind to that
builtin, and module init code will be executed in that context.

I think those changes are necessary and almost sufficient ( except
for read-only access and blocking a few other backdoors ).
The changes are less "local" than we had thought, but still not too
extreme.

(1) Am I missing anything ?
(2) Guido: is this semantics totally different from what you
were considering, or are we on the same wavelength ?
[ "What's the frequency, Kenneth?" ]

( Those question being The main reason I'm writing this note
first, instead of just coding away! )

---| Steven D. Majewski (804-982-0831) <sdm7g@Virginia.EDU> |---
---| Computer Systems Engineer University of Virginia |---
---| Department of Molecular Physiology and Biological Physics |---
---| Box 449 Health Science Center Charlottesville,VA 22908 |---

Next message: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"
Previous message: Quentin Stafford-Fraser: "Newslist 1.9"
Next in thread: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"