Closed Bug 1259351 Opened 4 years ago Closed 4 years ago
templates defining decorators skip changing function global scope
MozReview Request: Bug 1259351 - Properly sandbox functions that are decorated with templates. r?nalexander
58 bytes, text/x-review-board-request
Templates such as checking or deprecated_option implement decorators. With the way things currently work, this skips running _prepare_function on the decorated function, so the decorated function isn't set up with a restricted global scope. And since functions are not using __setitem__ when setting global variables, it means such functions could theoretically overwrite globals in the sandbox. While not critical, because it's not likely to cause actual problems at the moment, it's possible it causes problems after bug 1256571, which would change the execution order, and might lead to templates and function declared later available to those functions, while it's not supposed to be the case.
Review commit: https://reviewboard.mozilla.org/r/42681/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/42681/
Attachment #8735314 - Flags: review?(nalexander)
Comment on attachment 8735314 [details] MozReview Request: Bug 1259351 - Properly sandbox functions that are decorated with templates. r?nalexander https://reviewboard.mozilla.org/r/42681/#review39315 Someday I hope to read decorator definitions and not need to work forward from first principles.
Attachment #8735314 - Flags: review?(nalexander) → review+
You need to log in before you can comment on or make changes to this bug.