Re: Safe Python, chapter II

Guido.van.Rossum@cwi.nl
Fri, 06 Jan 1995 23:44:36 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"
Previous message: Steven D. Majewski: "Safe Python, chapter II"
In reply to: Steven D. Majewski: "Safe Python, chapter II"
Next in thread: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"

> i.e. lookup name in locals
> if not found, lookup name in globals
> if not found, lookup name in builtins.
>
>
> For static binding of the builtin module definitions - i.e. for
> the one in place when the modules functions were defined to be
> "latched" onto, we need to treat builtin pretty much the same
> as we do the globals:
>
> o function need an additional attribute slot for func_builtins
> as well as func_globals.
> o ceval need to get that slot and copy it into the current frame
> ( replacing 'getbuiltin' with access to THAT "builtin" dict. )
> o exec still needs that additional arg to specify builtin dict -
> that is what's needed for "safe-import" to cause evaluation of
> an imported module with the alternate builtin dict bindings,
> so that functions defined in that modules will bind to that
> builtin, and module init code will be executed in that context.
>
> I think those changes are necessary and almost sufficient ( except
> for read-only access and blocking a few other backdoors ).
> The changes are less "local" than we had thought, but still not too
> extreme.
>
> (1) Am I missing anything ?
> (2) Guido: is this semantics totally different from what you
> were considering, or are we on the same wavelength ?

This is more or less what I had in mind. Two things have been
bothering me:

(A) The argument order for exec/eval is globals, locals. Since I only
dare add new optional arguments at the end, the order would become
globals, locals, builtins, which is different from the search order
(locals, globals, builtins).

(B) Extending every function object in the world with a builtins slot
is doable but somewhat inefficient. (I'm doing just this for doc
strings, coding it at this very moment...)

I think that we can safely assume that two functions using the same
set of globals will also be using the same set of builtins (though not
the reverse). Therefore an alternative would be to bury the
information on what set of builtins to use inside the globals -- e.g.,
have an optional slot __builtins__ in the dictionary of globals to
point to the dictionary of builtins. As you propose, this can be
copied into the current frame by eval_code. (The presence of this slot
can also be used to indicate that certain backdoor operations are
disallowed.)

BTW if you get to coding this, I'd like to receive your mods
a.s.a.p. -- the way things are going, they may well end up being
incorporated in Python 1.2!

--Guido van Rossum, CWI, Amsterdam <mailto:Guido.van.Rossum@cwi.nl>
<http://www.cwi.nl/cwi/people/Guido.van.Rossum.html>

Next message: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"
Previous message: Steven D. Majewski: "Safe Python, chapter II"
In reply to: Steven D. Majewski: "Safe Python, chapter II"
Next in thread: Guido.van.Rossum@cwi.nl: "Re: Safe Python, chapter II"