From b5f522cdee5695f58cf0089ca94a833922f42921 Mon Sep 17 00:00:00 2001 From: Armin Ronacher Date: Sun, 4 May 2008 18:25:02 +0200 Subject: [PATCH] extra security --HG-- branch : trunk --- jinja2/sandbox.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/jinja2/sandbox.py b/jinja2/sandbox.py index cd5b579..e027301 100644 --- a/jinja2/sandbox.py +++ b/jinja2/sandbox.py @@ -12,7 +12,8 @@ :copyright: Copyright 2008 by Armin Ronacher. :license: BSD. """ -from types import FunctionType, MethodType +from types import FunctionType, MethodType, TracebackType, CodeType, \ + FrameType, GeneratorType from jinja2.runtime import Undefined from jinja2.environment import Environment @@ -66,6 +67,12 @@ class SandboxedEnvironment(Environment): if isinstance(obj, MethodType): return attr not in UNSAFE_FUNCTION_ATTRIBUTES and \ attr not in UNSAFE_METHOD_ATTRIBUTES + if isinstance(obj, type): + return attr != 'mro' + if isinstance(obj, (CodeType, TracebackType, FrameType)): + return False + if isinstance(obj, GeneratorType): + return attr != 'gi_frame' return True def is_safe_callable(self, obj): @@ -96,7 +103,7 @@ class SandboxedEnvironment(Environment): ' unsafe.' % ( argument, obj.__class__.__name__ - )) + ), name=argument) return self.undefined(obj=obj, name=argument) def call(__self, __obj, *args, **kwargs): -- 2.26.2