|
From: Mark H. <mha...@us...> - 2005-02-13 12:26:43
|
Update of /cvsroot/pywin32/pywin32/com/win32comext/axscript/client In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16172 Modified Files: pyscript.py pyscript_rexec.py Log Message: For people silly enough to really want to do it, allow a Python engine even for hosts that request a "safe" engine. pyscript_rexec.py must still be manually run to register such an engine, and it prints an explicit warning Index: pyscript.py =================================================================== RCS file: /cvsroot/pywin32/pywin32/com/win32comext/axscript/client/pyscript.py,v retrieving revision 1.7 retrieving revision 1.8 diff -C2 -d -r1.7 -r1.8 *** pyscript.py 6 Oct 2004 02:02:11 -0000 1.7 --- pyscript.py 13 Feb 2005 12:26:33 -0000 1.8 *************** *** 261,268 **** def RegisterNamedItem(self, item): if self.rexec_env is None: ! if self.safetyOptions & (axscript.INTERFACESAFE_FOR_UNTRUSTED_DATA | axscript.INTERFACESAFE_FOR_UNTRUSTED_CALLER): ! # Use RExec. ! self.rexec_env = AXRExec(self.globalNameSpaceModule) ! else: # DONT use RExec. self.rexec_env = AXNotRExec(self.globalNameSpaceModule) --- 261,271 ---- def RegisterNamedItem(self, item): if self.rexec_env is None: ! # RExec is not available in 2.2+. If we get here for IE, the ! # user has explicitly run axscript_rexec, so is choosing to ! # take this risk. ! # if self.safetyOptions & (axscript.INTERFACESAFE_FOR_UNTRUSTED_DATA | axscript.INTERFACESAFE_FOR_UNTRUSTED_CALLER): ! # # Use RExec. ! # self.rexec_env = AXRExec(self.globalNameSpaceModule) ! # else: # DONT use RExec. self.rexec_env = AXNotRExec(self.globalNameSpaceModule) Index: pyscript_rexec.py =================================================================== RCS file: /cvsroot/pywin32/pywin32/com/win32comext/axscript/client/pyscript_rexec.py,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** pyscript_rexec.py 29 May 2002 01:59:20 -0000 1.2 --- pyscript_rexec.py 13 Feb 2005 12:26:33 -0000 1.3 *************** *** 3,6 **** --- 3,10 ---- # rexec module being neither completely trusted nor private, it is # *not* enabled by default. + # As of Python 2.2, rexec is simply not available - thus, if you use this, + # a HTML page can do almost *anything* at all on your machine. + + # You almost certainly do NOT want to use thus! import pythoncom *************** *** 32,34 **** --- 36,43 ---- if __name__=='__main__': + print "WARNING: By registering this engine, you are giving remote HTML code" + print "the ability to execute *any* code on your system." + print + print "You almost certainly do NOT want to do this." + print "You have been warned, and are doing this at your own (significant) risk" pyscript.Register(PyScriptRExec) |
