← Back to team overview

openerp-dev team mailing list archive

safe_eval merged into lp:openobject-server/trunk

 

Hello everyone,

I've just pushed the merge of the safe_eval branch in server trunk, so I
wanted to give a little warning about it.

 revno: 2318
 revision-id: odo@xxxxxxxxxxx-20100604011342-wus17d5o99gfoqf5

Basically this affects potentially all places in the system where we
eval() code, specifically the data loading system (XML/YAML) and the
dynamic code evaluation (workflows, server actions, ...)

Most of the server is now using the safe_eval() from tools.safe_eval,
except in some parts of the data loading mechanism (convert.py,
yaml_import.py) where it's not possible to do. The latter is ok because
we can normally assume that this is only for loading trusted code.

The ways safe_eval has been used to replace eval() is very simple and
does not change a lot of code in most cases:

   from tools.safe_eval import safe_eval as eval

If you notice any issue due to the use of safe_eval (like a KeyError or
NameError inside an eval() that used to work), please be very careful
when considering how to fix this. There are only very rare cases where
we need the full default eval(), and even then this should only be done
when we are evaluating code that we know is trusted!

When we need this I've done the following to make it very explicit:

   unsafe_eval = eval
   from tools.safe_eval import safe_eval as eval

   ... and then we use eval() or unsafe_eval() as necessary

For most issues the fix will usually be very simple: just pass the
correct context (i.e. globals and locals dicts) to the eval call. It
used to work because eval() took by default the local environment, which
safe_eval must not do anymore.

Finally, if you ever need to pass a simulated globals/locals dictionary
to safe_eval you should also pass the nocopy=True flag, to prevent
copying the static content only (safe_eval outputs a warning about that)

Note: I still need to commit more YAML testcases for this, some samples
already added in base/test.

If you have any question or suggestion do not hesitate to dicuss on this
list.


-- 
Olivier Dony


PS: I'm not sure if all members of lp:~openerp-dev are subscribed to
this mailing-list, please tell them to do it in case they're not.