CurrentBehavior

Python Methods Current Behavior

• uses GuardedBlock for security
• copies methods from DocumentTemplate.DT_Util.TemplateDict into the builtins dictionary, and also provides access to a TemplateDict instance through the name "_".
• recurses into code blocks, allowing lambdas and nested function definitions.

GuardedBlock security

• co_names is checked for multi-character names beginning with "_".
• print statements are replaced with calls to a function that stores the text in a list. The concatenation of these strings is available through global variable printed. If printed is not read, but print statements are used, a warning is printed.
• assignment statements are only allowed if the target list is a local or global variable name. This prevents assignments to attributes, items, or slices.
• del and exec statements are not allowed, and import is not usable.
• return, assert, try/finally, try/except/else, pass, raise, break, continue, global, if/elif/else, for/else, and while/else are not changed or restricted.
• The only other statements are expression statements. Expression evaluation is altered so that multiplication operations are replaced with calls to careful_mul from DocumentTemplate.VSEval.
• Since CodeBlock compiles a function in an empty global namespace with no builtins, the function is flagged restricted, and cannot access internal attributes such as im_func.