# SOME DESCRIPTIVE TITLE. # Copyright (C) 1990-2016, Python Software Foundation # This file is distributed under the same license as the Python package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: Python 2.7\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2016-10-30 10:44+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: ../Doc/library/rexec.rst:2 msgid ":mod:`rexec` --- Restricted execution framework" msgstr "" #: ../Doc/library/rexec.rst:8 msgid "The :mod:`rexec` module has been removed in Python 3." msgstr "" #: ../Doc/library/rexec.rst:11 msgid "Disabled module." msgstr "" #: ../Doc/library/rexec.rst:16 msgid "" "The documentation has been left in place to help in reading old code that " "uses the module." msgstr "" #: ../Doc/library/rexec.rst:19 msgid "" "This module contains the :class:`RExec` class, which supports :meth:" "`r_eval`, :meth:`r_execfile`, :meth:`r_exec`, and :meth:`r_import` methods, " "which are restricted versions of the standard Python functions :meth:" "`eval`, :meth:`execfile` and the :keyword:`exec` and :keyword:`import` " "statements. Code executed in this restricted environment will only have " "access to modules and functions that are deemed safe; you can subclass :" "class:`RExec` to add or remove capabilities as desired." msgstr "" #: ../Doc/library/rexec.rst:29 msgid "" "While the :mod:`rexec` module is designed to perform as described below, it " "does have a few known vulnerabilities which could be exploited by carefully " "written code. Thus it should not be relied upon in situations requiring " "\"production ready\" security. In such situations, execution via sub-" "processes or very careful \"cleansing\" of both code and data to be " "processed may be necessary. Alternatively, help in patching known :mod:" "`rexec` vulnerabilities would be welcomed." msgstr "" #: ../Doc/library/rexec.rst:39 msgid "" "The :class:`RExec` class can prevent code from performing unsafe operations " "like reading or writing disk files, or using TCP/IP sockets. However, it " "does not protect against code using extremely large amounts of memory or " "processor time." msgstr "" #: ../Doc/library/rexec.rst:46 msgid "Returns an instance of the :class:`RExec` class." msgstr "" #: ../Doc/library/rexec.rst:48 msgid "" "*hooks* is an instance of the :class:`RHooks` class or a subclass of it. If " "it is omitted or ``None``, the default :class:`RHooks` class is " "instantiated. Whenever the :mod:`rexec` module searches for a module (even a " "built-in one) or reads a module's code, it doesn't actually go out to the " "file system itself. Rather, it calls methods of an :class:`RHooks` instance " "that was passed to or created by its constructor. (Actually, the :class:" "`RExec` object doesn't make these calls --- they are made by a module loader " "object that's part of the :class:`RExec` object. This allows another level " "of flexibility, which can be useful when changing the mechanics of :keyword:" "`import` within the restricted environment.)" msgstr "" #: ../Doc/library/rexec.rst:59 msgid "" "By providing an alternate :class:`RHooks` object, we can control the file " "system accesses made to import a module, without changing the actual " "algorithm that controls the order in which those accesses are made. For " "instance, we could substitute an :class:`RHooks` object that passes all " "filesystem requests to a file server elsewhere, via some RPC mechanism such " "as ILU. Grail's applet loader uses this to support importing applets from a " "URL for a directory." msgstr "" #: ../Doc/library/rexec.rst:66 msgid "" "If *verbose* is true, additional debugging output may be sent to standard " "output." msgstr "" #: ../Doc/library/rexec.rst:69 msgid "" "It is important to be aware that code running in a restricted environment " "can still call the :func:`sys.exit` function. To disallow restricted code " "from exiting the interpreter, always protect calls that cause restricted " "code to run with a :keyword:`try`/:keyword:`except` statement that catches " "the :exc:`SystemExit` exception. Removing the :func:`sys.exit` function " "from the restricted environment is not sufficient --- the restricted code " "could still use ``raise SystemExit``. Removing :exc:`SystemExit` is not a " "reasonable option; some library code makes use of this and would break were " "it not available." msgstr "" #: ../Doc/library/rexec.rst:83 msgid "`Grail Home Page `_" msgstr "" #: ../Doc/library/rexec.rst:82 msgid "" "Grail is a Web browser written entirely in Python. It uses the :mod:`rexec` " "module as a foundation for supporting Python applets, and can be used as an " "example usage of this module." msgstr "" #: ../Doc/library/rexec.rst:90 msgid "RExec Objects" msgstr "" #: ../Doc/library/rexec.rst:92 msgid ":class:`RExec` instances support the following methods:" msgstr "" #: ../Doc/library/rexec.rst:97 msgid "" "*code* must either be a string containing a Python expression, or a compiled " "code object, which will be evaluated in the restricted environment's :mod:" "`__main__` module. The value of the expression or code object will be " "returned." msgstr "" #: ../Doc/library/rexec.rst:105 msgid "" "*code* must either be a string containing one or more lines of Python code, " "or a compiled code object, which will be executed in the restricted " "environment's :mod:`__main__` module." msgstr "" #: ../Doc/library/rexec.rst:112 msgid "" "Execute the Python code contained in the file *filename* in the restricted " "environment's :mod:`__main__` module." msgstr "" #: ../Doc/library/rexec.rst:115 msgid "" "Methods whose names begin with ``s_`` are similar to the functions beginning " "with ``r_``, but the code will be granted access to restricted versions of " "the standard I/O streams ``sys.stdin``, ``sys.stderr``, and ``sys.stdout``." msgstr "" #: ../Doc/library/rexec.rst:122 msgid "" "*code* must be a string containing a Python expression, which will be " "evaluated in the restricted environment." msgstr "" #: ../Doc/library/rexec.rst:128 msgid "" "*code* must be a string containing one or more lines of Python code, which " "will be executed in the restricted environment." msgstr "" #: ../Doc/library/rexec.rst:134 msgid "" "Execute the Python code contained in the file *filename* in the restricted " "environment." msgstr "" #: ../Doc/library/rexec.rst:137 msgid "" ":class:`RExec` objects must also support various methods which will be " "implicitly called by code executing in the restricted environment. " "Overriding these methods in a subclass is used to change the policies " "enforced by a restricted environment." msgstr "" #: ../Doc/library/rexec.rst:145 ../Doc/library/rexec.rst:174 msgid "" "Import the module *modulename*, raising an :exc:`ImportError` exception if " "the module is considered unsafe." msgstr "" #: ../Doc/library/rexec.rst:151 msgid "" "Method called when :func:`open` is called in the restricted environment. " "The arguments are identical to those of :func:`open`, and a file object (or " "a class instance compatible with file objects) should be returned. :class:" "`RExec`'s default behaviour is allow opening any file for reading, but " "forbidding any attempt to write a file. See the example below for an " "implementation of a less restrictive :meth:`r_open`." msgstr "" #: ../Doc/library/rexec.rst:161 ../Doc/library/rexec.rst:180 msgid "Reload the module object *module*, re-parsing and re-initializing it." msgstr "" #: ../Doc/library/rexec.rst:166 msgid "" "Unload the module object *module* (remove it from the restricted " "environment's ``sys.modules`` dictionary)." msgstr "" #: ../Doc/library/rexec.rst:169 msgid "And their equivalents with access to restricted standard I/O streams:" msgstr "" #: ../Doc/library/rexec.rst:185 msgid "Unload the module object *module*." msgstr "" #: ../Doc/library/rexec.rst:193 msgid "Defining restricted environments" msgstr "" #: ../Doc/library/rexec.rst:195 msgid "" "The :class:`RExec` class has the following class attributes, which are used " "by the :meth:`__init__` method. Changing them on an existing instance won't " "have any effect; instead, create a subclass of :class:`RExec` and assign " "them new values in the class definition. Instances of the new class will " "then use those new values. All these attributes are tuples of strings." msgstr "" #: ../Doc/library/rexec.rst:204 msgid "" "Contains the names of built-in functions which will *not* be available to " "programs running in the restricted environment. The value for :class:" "`RExec` is ``('open', 'reload', '__import__')``. (This gives the exceptions, " "because by far the majority of built-in functions are harmless. A subclass " "that wants to override this variable should probably start with the value " "from the base class and concatenate additional forbidden functions --- when " "new dangerous built-in functions are added to Python, they will also be " "added to this module.)" msgstr "" #: ../Doc/library/rexec.rst:215 msgid "" "Contains the names of built-in modules which can be safely imported. The " "value for :class:`RExec` is ``('audioop', 'array', 'binascii', 'cmath', " "'errno', 'imageop', 'marshal', 'math', 'md5', 'operator', 'parser', 'regex', " "'select', 'sha', '_sre', 'strop', 'struct', 'time')``. A similar remark " "about overriding this variable applies --- use the value from the base class " "as a starting point." msgstr "" #: ../Doc/library/rexec.rst:224 msgid "" "Contains the directories which will be searched when an :keyword:`import` is " "performed in the restricted environment. The value for :class:`RExec` is " "the same as ``sys.path`` (at the time the module is loaded) for unrestricted " "code." msgstr "" #: ../Doc/library/rexec.rst:231 msgid "" "Contains the names of the functions in the :mod:`os` module which will be " "available to programs running in the restricted environment. The value for :" "class:`RExec` is ``('error', 'fstat', 'listdir', 'lstat', 'readlink', " "'stat', 'times', 'uname', 'getpid', 'getppid', 'getcwd', 'getuid', 'getgid', " "'geteuid', 'getegid')``." msgstr "" #: ../Doc/library/rexec.rst:242 msgid "" "Contains the names of the functions and variables in the :mod:`sys` module " "which will be available to programs running in the restricted environment. " "The value for :class:`RExec` is ``('ps1', 'ps2', 'copyright', 'version', " "'platform', 'exit', 'maxint')``." msgstr "" #: ../Doc/library/rexec.rst:250 msgid "" "Contains the file types from which modules are allowed to be loaded. Each " "file type is an integer constant defined in the :mod:`imp` module. The " "meaningful values are :const:`PY_SOURCE`, :const:`PY_COMPILED`, and :const:" "`C_EXTENSION`. The value for :class:`RExec` is ``(C_EXTENSION, " "PY_SOURCE)``. Adding :const:`PY_COMPILED` in subclasses is not recommended; " "an attacker could exit the restricted execution mode by putting a forged " "byte-compiled file (:file:`.pyc`) anywhere in your file system, for example " "by writing it to :file:`/tmp` or uploading it to the :file:`/incoming` " "directory of your public FTP server." msgstr "" #: ../Doc/library/rexec.rst:262 msgid "An example" msgstr "" #: ../Doc/library/rexec.rst:264 msgid "" "Let us say that we want a slightly more relaxed policy than the standard :" "class:`RExec` class. For example, if we're willing to allow files in :file:" "`/tmp` to be written, we can subclass the :class:`RExec` class::" msgstr "" #: ../Doc/library/rexec.rst:282 msgid "" "Notice that the above code will occasionally forbid a perfectly valid " "filename; for example, code in the restricted environment won't be able to " "open a file called :file:`/tmp/foo/../bar`. To fix this, the :meth:`r_open` " "method would have to simplify the filename to :file:`/tmp/bar`, which would " "require splitting apart the filename and performing various operations on " "it. In cases where security is at stake, it may be preferable to write " "simple code which is sometimes overly restrictive, instead of more general " "code that is also more complex and may harbor a subtle security hole." msgstr ""