Hello everyone, I've just pushed the merge of the safe_eval branch in server trunk, so I wanted to give a little warning about it.
revno: 2318 revision-id: [email protected] Basically this affects potentially all places in the system where we eval() code, specifically the data loading system (XML/YAML) and the dynamic code evaluation (workflows, server actions, ...) Most of the server is now using the safe_eval() from tools.safe_eval, except in some parts of the data loading mechanism (convert.py, yaml_import.py) where it's not possible to do. The latter is ok because we can normally assume that this is only for loading trusted code. The ways safe_eval has been used to replace eval() is very simple and does not change a lot of code in most cases: from tools.safe_eval import safe_eval as eval If you notice any issue due to the use of safe_eval (like a KeyError or NameError inside an eval() that used to work), please be very careful when considering how to fix this. There are only very rare cases where we need the full default eval(), and even then this should only be done when we are evaluating code that we know is trusted! When we need this I've done the following to make it very explicit: unsafe_eval = eval from tools.safe_eval import safe_eval as eval ... and then we use eval() or unsafe_eval() as necessary For most issues the fix will usually be very simple: just pass the correct context (i.e. globals and locals dicts) to the eval call. It used to work because eval() took by default the local environment, which safe_eval must not do anymore. Finally, if you ever need to pass a simulated globals/locals dictionary to safe_eval you should also pass the nocopy=True flag, to prevent copying the static content only (safe_eval outputs a warning about that) Note: I still need to commit more YAML testcases for this, some samples already added in base/test. If you have any question or suggestion do not hesitate to dicuss on this list. -- Olivier Dony PS: I'm not sure if all members of lp:~openerp-dev are subscribed to this mailing-list, please tell them to do it in case they're not. _______________________________________________ Mailing list: https://launchpad.net/~openerp-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-dev More help : https://help.launchpad.net/ListHelp
