openerp-dev team mailing list archive
-
openerp-dev team
-
Mailing list archive
-
Message #00001
safe_eval merged into lp:openobject-server/trunk
-
To:
openerp-dev@xxxxxxxxxxxxxxxxxxx
-
From:
Olivier Dony <odo@xxxxxxxxxxx>
-
Date:
Fri, 04 Jun 2010 03:15:23 +0200
-
Organization:
OpenERP
-
User-agent:
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9pre) Gecko/20100217 Shredder/3.0.3pre
Hello everyone,
I've just pushed the merge of the safe_eval branch in server trunk, so I
wanted to give a little warning about it.
revno: 2318
revision-id: odo@xxxxxxxxxxx-20100604011342-wus17d5o99gfoqf5
Basically this affects potentially all places in the system where we
eval() code, specifically the data loading system (XML/YAML) and the
dynamic code evaluation (workflows, server actions, ...)
Most of the server is now using the safe_eval() from tools.safe_eval,
except in some parts of the data loading mechanism (convert.py,
yaml_import.py) where it's not possible to do. The latter is ok because
we can normally assume that this is only for loading trusted code.
The ways safe_eval has been used to replace eval() is very simple and
does not change a lot of code in most cases:
from tools.safe_eval import safe_eval as eval
If you notice any issue due to the use of safe_eval (like a KeyError or
NameError inside an eval() that used to work), please be very careful
when considering how to fix this. There are only very rare cases where
we need the full default eval(), and even then this should only be done
when we are evaluating code that we know is trusted!
When we need this I've done the following to make it very explicit:
unsafe_eval = eval
from tools.safe_eval import safe_eval as eval
... and then we use eval() or unsafe_eval() as necessary
For most issues the fix will usually be very simple: just pass the
correct context (i.e. globals and locals dicts) to the eval call. It
used to work because eval() took by default the local environment, which
safe_eval must not do anymore.
Finally, if you ever need to pass a simulated globals/locals dictionary
to safe_eval you should also pass the nocopy=True flag, to prevent
copying the static content only (safe_eval outputs a warning about that)
Note: I still need to commit more YAML testcases for this, some samples
already added in base/test.
If you have any question or suggestion do not hesitate to dicuss on this
list.
--
Olivier Dony
PS: I'm not sure if all members of lp:~openerp-dev are subscribed to
this mailing-list, please tell them to do it in case they're not.