Name
Bastion
Synopsis
class Bastion(obj
,filter
=lambdan
:n
[:1]!='_',name
=None)
A Bastion
instance b
wrapping object obj
exposes only those
methods of obj
for whose name
filter
returns true. An access
b
.attr
works like:
iffilter
('attr
'): returnobj
.attr
else: raise AttributeError, 'attr
'
plus a check that
b
.attr
is a method, not an attribute of any other type.
The default filter
accepts all method
names that do not start with an underscore (_
)
(i.e., all methods that are neither private nor special methods).
When name
is not None
,
repr(
b
)
is the string '<Bastion
for
name
>
‘. When
name
is None
,
repr(
b
)
is '<Bastion
for
%s>
' %
repr(
obj
)
.
Suppose, for example, that your application supplies a class
MyClass
whose public methods are all safe, while
private and special methods, as well as attributes that are not
methods, should be hidden from untrusted code. In the sandbox, you
can provide a factory function that supplies safely wrapped instances
of MyClass
to untrusted code as follows:
import rexec, Bastion rex = rexec.RExec( ) burex = rex.add_module('__builtins__') def SafeMyClassFactory(*args, **kwds): return Bastion.Bastion(MyClass(*args, **kwds)) burex.MyClass = SafeMyClassFactory
Now, untrusted code that you run with rex.r_exec
can instantiate and use safely wrapped instances of
MyClass
:
m = MyClass(1,2,3) m.somemethod(4,5)
However, any attempt by the untrusted code to access private or
special methods, even indirectly (e.g.,
m
[6]=7
indirectly tries
to use special method __setitem__ ...
Get Python in a Nutshell now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.