From: Armin Ronacher Date: Sun, 4 May 2008 16:25:02 +0000 (+0200) Subject: extra security X-Git-Tag: 2.0rc1~100 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b5f522cdee5695f58cf0089ca94a833922f42921;p=jinja2.git extra security --HG-- branch : trunk --- diff --git a/jinja2/sandbox.py b/jinja2/sandbox.py index cd5b579..e027301 100644 --- a/jinja2/sandbox.py +++ b/jinja2/sandbox.py @@ -12,7 +12,8 @@ :copyright: Copyright 2008 by Armin Ronacher. :license: BSD. """ -from types import FunctionType, MethodType +from types import FunctionType, MethodType, TracebackType, CodeType, \ + FrameType, GeneratorType from jinja2.runtime import Undefined from jinja2.environment import Environment @@ -66,6 +67,12 @@ class SandboxedEnvironment(Environment): if isinstance(obj, MethodType): return attr not in UNSAFE_FUNCTION_ATTRIBUTES and \ attr not in UNSAFE_METHOD_ATTRIBUTES + if isinstance(obj, type): + return attr != 'mro' + if isinstance(obj, (CodeType, TracebackType, FrameType)): + return False + if isinstance(obj, GeneratorType): + return attr != 'gi_frame' return True def is_safe_callable(self, obj): @@ -96,7 +103,7 @@ class SandboxedEnvironment(Environment): ' unsafe.' % ( argument, obj.__class__.__name__ - )) + ), name=argument) return self.undefined(obj=obj, name=argument) def call(__self, __obj, *args, **kwargs):