home *** CD-ROM | disk | FTP | other *** search
- <TITLE>An example -- Python library reference</TITLE>
- Prev: <A HREF="../r/rexec" TYPE="Prev">rexec</A>
- Up: <A HREF="../r/rexec" TYPE="Up">rexec</A>
- Top: <A HREF="../t/top" TYPE="Top">Top</A>
- <H2>11.1.1. An example</H2>
- Let us say that we want a slightly more relaxed policy than the
- standard RExec class. For example, if we're willing to allow files in
- <FILE>/tmp</FILE> to be written, we can subclass the <CODE>RExec</CODE> class:
- <P>
- <UL COMPACT><CODE>class TmpWriterRExec(rexec.RExec):<P>
- def r_open(self, file, mode='r', buf=-1):<P>
- if mode in ('r', 'rb'):<P>
- pass<P>
- elif mode in ('w', 'wb', 'a', 'ab'):<P>
- # check filename : must begin with /tmp/<P>
- if file[:5]!='/tmp/': <P>
- raise IOError, "can't write outside /tmp"<P>
- elif (string.find(file, '/../') >= 0 or<P>
- file[:3] == '../' or file[-3:] == '/..'):<P>
- raise IOError, "'..' in filename forbidden"<P>
- else: raise IOError, "Illegal open() mode"<P>
- return open(file, mode, buf)<P>
- </CODE></UL>
- Notice that the above code will occasionally forbid a perfectly valid
- filename; for example, code in the restricted environment won't be
- able to open a file called <FILE>/tmp/foo/../bar</FILE>. To fix this, the
- <CODE>r_open</CODE> method would have to simplify the filename to
- <FILE>/tmp/bar</FILE>, which would require splitting apart the filename and
- performing various operations on it. In cases where security is at
- stake, it may be preferable to write simple code which is sometimes
- overly restrictive, instead of more general code that is also more
- complex and may harbor a subtle security hole.
-
