Name
Bastion
Synopsis
class Bastion(obj,filter=lambdan:n[:1]!='_',name=None)
A Bastion instance b
wrapping object obj exposes only those
methods of obj for whose name
filter returns true. An access
b.attr
works like:
iffilter('attr'): returnobj.attrelse: raise AttributeError, 'attr'
plus a check that
b.attr
is a method, not an attribute of any other type.
The default filter accepts all method
names that do not start with an underscore (_)
(i.e., all methods that are neither private nor special methods).
When name is not None,
repr(
b
)
is the string '<Bastion
for
name
>‘. When
name is None,
repr(
b
)
is '<Bastion
for
%s>' %
repr(
obj
).
Suppose, for example, that your application supplies a class
MyClass whose public methods are all safe, while
private and special methods, as well as attributes that are not
methods, should be hidden from untrusted code. In the sandbox, you
can provide a factory function that supplies safely wrapped instances
of MyClass to untrusted code as follows:
import rexec, Bastion
rex = rexec.RExec( )
burex = rex.add_module('__builtins__')
def SafeMyClassFactory(*args, **kwds):
return Bastion.Bastion(MyClass(*args, **kwds))
burex.MyClass = SafeMyClassFactoryNow, untrusted code that you run with rex.r_exec
can instantiate and use safely wrapped instances of
MyClass:
m = MyClass(1,2,3) m.somemethod(4,5)
However, any attempt by the untrusted code to access private or
special methods, even indirectly (e.g.,
m
[6]=7 indirectly tries
to use special method __setitem__ ...
Get Python in a Nutshell now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
