ó ØÕL]c@s8dZddlZddlZddlmZddlmZddlmZddl m Z m Z m Z m Z mZmZmZmZmZddlmZeZeedƒrÌdd lmZeZnd Zed d d ddgƒZedddgƒZeddgƒZeddgƒZ eddgƒZ!esJeƒZnddl"Z"e"j#dde$ddƒddlm%Z%efZ&e'fZ(e)fZ*yGddl+m+Z+m,Z,ddl-m-Z-e(e+e,f7Z(e&e-f7Z&Wne.k rônXy!dd l/m0Z0e&e0f7Z&Wne.k r)nXyGdd!lm1Z1m2Z2m3Z3e&e1f7Z&e(e2f7Z(e*e3f7Z*Wne.k r„nXe&e4d"d#d$d%d&d'd(d)gƒfe(e4d#d&d*d+d)gƒfe*e4d,d-d.d/d0d'gƒfe%e4d,d1d#d0d2d&d3d'd4g ƒffZ5eedƒrCd5efd6„ƒYZ6nd7efd8„ƒYZ7d9„Z8d:„Z9d;„Z:d<„Z;d=„Z<d>efd?„ƒYZ=d@e=fdA„ƒYZ>er4yddBl?m@Z@Wne.k rèdC„Z@nXdDeAfdE„ƒYZBdFeBefdG„ƒYZCdHeBe6fdI„ƒYZDndS(Jsj jinja2.sandbox ~~~~~~~~~~~~~~ Adds a sandbox layer to Jinja as it was the default behavior in the old Jinja 1 releases. This sandbox is slightly different from Jinja 1 as the default behavior is easier to use. The behavior can be changed by subclassing the environment. :copyright: (c) 2010 by the Jinja Team. :license: BSD. iÿÿÿÿN(tMapping(t Environment(t SecurityError( t string_typest function_typet method_typettraceback_typet code_typet frame_typetgenerator_typet text_typetPY2(tMarkuptformat(t Formatteri †t func_closuret func_codet func_dictt func_defaultst func_globalstim_classtim_functim_selftgi_frametgi_codetcr_frametcr_codetag_codetag_frametignoresthe sets moduletmodulesjinja2.sandbox(tdeque(tUserDictt DictMixin(tUserList(tSet(t MutableSettMutableMappingtMutableSequencetaddtcleartdifference_updatetdiscardtpoptremovetsymmetric_difference_updatetupdatetpopitemt setdefaulttappendtreversetinserttsorttextendt appendleftt extendlefttpoplefttrotatetEscapeFormattercBseZd„Zd„ZRS(cCs ||_dS(N(tescape(tselfR;((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt__init__tscCs”t|dƒr!|j|ƒ}n`t|dƒrf|rWtdj|t|ƒƒƒ‚n|jƒ}ntj||t|ƒƒ}t|j |ƒƒS(Nt__html_format__t__html__sžFormat specifier {0} given, but {1} does not define __html_format__. A class that defines __html__ must define __html_format__ to work with format specifiers.( thasattrR>t ValueErrorR ttypeR?Rt format_fieldR R;(R<tvaluet format_spectrv((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyRCws(t__name__t __module__R=RC(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR:ss t_MagicFormatMappingcBs2eZdZd„Zd„Zd„Zd„ZRS(sÍThis class implements a dummy wrapper to fix a bug in the Python standard library for string formatting. See http://bugs.python.org/issue13598 for information about why this is necessary. cCs||_||_d|_dS(Ni(t_argst_kwargst _last_index(R<targstkwargs((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR=“s  cCsa|dkrV|j}|jd7_y|j|SWntk rFnXt|ƒ}n|j|S(Nti(RLRJt LookupErrortstrRK(R<tkeytidx((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt __getitem__˜s   cCs t|jƒS(N(titerRK(R<((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt__iter__£scCs t|jƒS(N(tlenRK(R<((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt__len__¦s(RGRHt__doc__R=RTRVRX(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyRI‹s   cCsYts dSt|tjtjfƒ s5|jdkr9dS|j}t|tƒrU|SdS(NR ( t has_formattNonet isinstancettypest MethodTypetBuiltinMethodTypeRGt__self__R(tcallabletobj((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytinspect_format_methodªs  cGs5t|Œ}t|ƒtkr1tdtƒ‚n|S(sWA range that can't generate ranges with a length of more than MAX_RANGE items. s+range too big, maximum size for range is %d(trangeRWt MAX_RANGEt OverflowError(RMtrng((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt safe_range¶s   cCs t|_|S(snMarks a function or method as unsafe. :: @unsafe def delete(self): pass (tTruetunsafe_callable(tf((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytunsafeÁs cCs%t|tƒr"|tkrtSnöt|tƒrP|tksI|tkrtSnÈt|tƒrr|dkrtSn¦t|ttt fƒrŽtSt|t ƒr°|t krtSnht t dƒrät|t jƒrä|tkrtSn4t t dƒrt|t jƒrttkrtSn|jdƒS(s Test if the attribute given is an internal python attribute. For example this function returns `True` for the `func_code` attribute of python objects. This is useful if the environment method :meth:`~SandboxedEnvironment.is_safe_attribute` is overridden. >>> from jinja2.sandbox import is_internal_attribute >>> is_internal_attribute(lambda: None, "func_code") True >>> is_internal_attribute((lambda x:x).func_code, 'co_code') True >>> is_internal_attribute(str, "upper") False tmrot CoroutineTypetAsyncGeneratorTypet__(R\RtUNSAFE_FUNCTION_ATTRIBUTESRiRtUNSAFE_METHOD_ATTRIBUTESRBRRRR tUNSAFE_GENERATOR_ATTRIBUTESR@R]RntUNSAFE_COROUTINE_ATTRIBUTESRotattrit!UNSAFE_ASYNC_GENERATOR_ATTRIBUTESt startswith(Rbtattr((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytis_internal_attributeÎs,     ! ! cCs4x-tD]%\}}t||ƒr||kSqWtS(s³This function checks if an attribute on a builtin mutable object (list, dict, set or deque) would modify it if called. It also supports the "user"-versions of the objects (`sets.Set`, `UserDict.*` etc.) and with Python 2.6 onwards the abstract base classes `MutableSet`, `MutableMapping`, and `MutableSequence`. >>> modifies_known_mutable({}, "clear") True >>> modifies_known_mutable({}, "keys") False >>> modifies_known_mutable([], "append") True >>> modifies_known_mutable([], "index") False If called with an unsupported object (such as unicode) `False` is returned. >>> modifies_known_mutable("foo", "upper") False (t _mutable_specR\tFalse(RbRxttypespecRl((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytmodifies_known_mutableôstSandboxedEnvironmentcBsïeZdZeZiejd6ejd6ejd6ej d6ej d6ej d6ej d6Z iejd6ejd6ZeƒZeƒZd„Zd „Zd „Zd „Zd „Zd „Zd„Zd„Zd„Zd„Zd„ZRS(séThe sandboxed environment. It works like the regular environment but tells the compiler to generate sandboxed code. Additionally subclasses of this environment may override the methods that tell the runtime what attributes or functions are safe to access. If the template tries to access insecure code a :exc:`SecurityError` is raised. However also other exceptions may occur during the rendering so the caller has to ensure that all exceptions are caught. t+t-t*t/s//s**t%cCstS(s”Called during template compilation with the name of a unary operator to check if it should be intercepted at runtime. If this method returns `True`, :meth:`call_unop` is excuted for this unary operator. The default implementation of :meth:`call_unop` will use the :attr:`unop_table` dictionary to perform the operator with the same logic as the builtin one. The following unary operators are interceptable: ``+`` and ``-`` Intercepted calls are always slower than the native operator call, so make sure only to intercept the ones you are interested in. .. versionadded:: 2.6 (R{(R<toperator((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytintercept_unopPscOsHtj|||Žt|jd<|jjƒ|_|jjƒ|_dS(NRd( RR=Rhtglobalstdefault_binop_tabletcopyt binop_tabletdefault_unop_tablet unop_table(R<RMRN((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR=bs cCs|jdƒpt||ƒ S(sYThe sandboxed environment will call this method to check if the attribute of an object is safe to access. Per default all attributes starting with an underscore are considered private as well as the special attributes of internal python objects as returned by the :func:`is_internal_attribute` function. t_(RwRy(R<RbRxRD((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytis_safe_attributehscCs#t|dtƒp!t|dtƒ S(sCheck if an object is safely callable. Per default a function is considered safe unless the `unsafe_callable` attribute exists and is True. Override this method to alter the behavior, but this won't affect the `unsafe` decorator from this module. Rjt alters_data(tgetattrR{(R<Rb((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytis_safe_callableqscCs|j|||ƒS(s÷For intercepted binary operator calls (:meth:`intercepted_binops`) this function is executed instead of the builtin operator. This can be used to fine tune the behavior of certain operators. .. versionadded:: 2.6 (R‰(R<tcontextR„tlefttright((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt call_binopzscCs|j||ƒS(sõFor intercepted unary operator calls (:meth:`intercepted_unops`) this function is executed instead of the builtin operator. This can be used to fine tune the behavior of certain operators. .. versionadded:: 2.6 (R‹(R<R‘R„targ((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt call_unopƒscCsÂy ||SWnttfk r«t|tƒr¬yt|ƒ}Wntk rTq¨Xyt||ƒ}Wntk r{q¨X|j|||ƒr•|S|j ||ƒSq¬nX|j d|d|ƒS(s(Subscribe an object from sandboxed code.Rbtname( t TypeErrorRPR\RRQt ExceptionRtAttributeErrorRtunsafe_undefinedt undefined(R<RbtargumentRxRD((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pytgetitemŒs    cCsŒyt||ƒ}Wn7tk rLy ||SWqvttfk rHqvXn*X|j|||ƒrf|S|j||ƒS|jd|d|ƒS(s€Subscribe an object from sandboxed code and prefer the attribute. The attribute passed *must* be a bytestring. RbR—(RRšR˜RPRR›Rœ(R<Rbt attributeRD((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR¡s  cCs/|jd||jjfd|d|dtƒS(s1Return an undefined object for unsafe attributes.s.access to attribute %r of %r object is unsafe.R—Rbtexc(Rœt __class__RGR(R<RbRŸ((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR›²s cCsdt|tƒr$t||jƒ}n t|ƒ}t||ƒ}|j|||ƒ}t|ƒ|ƒS(s…If a format call is detected, then this is routed through this method so that our safety sandbox can be used for it. (R\R tSandboxedEscapeFormatterR;tSandboxedFormatterRItvformatRB(R<tsRMRNt formatterRF((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt format_stringºs  cOsct|ƒ}|dk r+|j|||ƒS|j|ƒsPtd|fƒ‚n|j|||ŽS(s#Call an object from sandboxed code.s%r is not safely callableN(RcR[R§RRtcall(t_SandboxedEnvironment__selft_SandboxedEnvironment__contextt_SandboxedEnvironment__objRMRNtfmt((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR¨Æs   (RGRHRYRit sandboxedR„R'tsubtmulttruedivtfloordivtpowtmodR‡tpostnegRŠt frozensettintercepted_binopstintercepted_unopsR…R=RRR”R–RžRR›R§R¨(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR~s4                  tImmutableSandboxedEnvironmentcBseZdZd„ZRS(sÓWorks exactly like the regular `SandboxedEnvironment` but does not permit modifications on the builtin mutable objects `list`, `set`, and `dict` by using the :func:`modifies_known_mutable` function. cCs*tj||||ƒstSt||ƒ S(N(R~RR{R}(R<RbRxRD((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyRÙs(RGRHRYR(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR¹Ós(tformatter_field_name_splitcCs |jƒS(N(t_formatter_field_name_split(t field_name((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyRºästSandboxedFormatterMixincBseZd„Zd„ZRS(cCs ||_dS(N(t_env(R<tenv((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR=ésc Cs{t|ƒ\}}|j|||ƒ}xG|D]?\}}|rX|jj||ƒ}q.|jj||ƒ}q.W||fS(N(Rºt get_valueR¾RRž( R<R¼RMRNtfirsttrestRbtis_attrti((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyt get_fieldìs(RGRHR=RÅ(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR½çs R£cBseZd„ZRS(cCs!tj||ƒtj|ƒdS(N(R½R=R(R<R¿((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR=÷s(RGRHR=(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR£ösR¢cBseZd„ZRS(cCs$tj||ƒtj||ƒdS(N(R½R=R:(R<R¿R;((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR=üs(RGRHR=(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyR¢ûs(ERYR]R„t collectionsRtjinja2.environmentRtjinja2.exceptionsRtjinja2._compatRRRRRRR R R t jinja2.utilsR R{RZR@tstringRRiRetsetRqRrRsRtRvtwarningstfilterwarningstDeprecationWarningRt_mutable_set_typestdictt_mutable_mapping_typestlistt_mutable_sequence_typesR R!R"t ImportErrortsetsR#R$R%R&R¶RzR:RIRcRhRlRyR}R~R¹t_stringRºtobjectR½R£R¢(((s2/usr/lib/python2.7/site-packages/jinja2/sandbox.pyts”  @              & à