r11830 - /1.3/prompt/interpreter.py -- December 15, 2010 - 01:45

Author: bugman
Date: Wed Dec 15 01:45:19 2010
New Revision: 11830

URL: http://svn.gna.org/viewcvs/relax?rev=11830&view=rev
Log:
Security fix - execfile() is no longer used to run relax scripts.

Instead a custom function exec_script() is being used to call 
runpy.run_module().  exec_script()
also locks and releases the relax execution lock before and after operation.


Modified:
    1.3/prompt/interpreter.py

Modified: 1.3/prompt/interpreter.py
URL: 
http://svn.gna.org/viewcvs/relax/1.3/prompt/interpreter.py?rev=11830&r1=11829&r2=11830&view=diff
==============================================================================
--- 1.3/prompt/interpreter.py (original)
+++ 1.3/prompt/interpreter.py Wed Dec 15 01:45:19 2010
@@ -29,10 +29,13 @@
 # Python module imports.
 import __main__
 from code import InteractiveConsole, softspace
-from os import F_OK, access
+from os import F_OK, access, getcwd, path
 import platform
+from re import search
 if dep_check.readline_module:
     import readline
+import runpy
+from string import split
 import sys
 
 # Python modules accessible on the command prompt.
@@ -48,6 +51,7 @@
 from info import Info_box
 if dep_check.readline_module:
     from tab_completion import Tab_completion
+from status import Status
 
 # User functions.
 from angles import Angles
@@ -337,6 +341,33 @@
         sys.exit()
 
 
+
+def exec_script(name, globals):
+    """Execute the script."""
+
+    # Check if the script name is ok.
+    if not search('\.py$', name):
+        raise RelaxError("The relax script must end in '*.py'.")
+
+    # Execution lock.
+    status = Status()
+    status.exec_lock.acquire('script UI')
+
+    # The module path.
+    head, tail = path.split(name)
+    script_path = path.join(getcwd(), head)
+    sys.path.append(script_path)
+
+    # The module name.
+    module, extension = split(tail, '.')
+
+    # Execute the module.
+    runpy.run_module(module, globals)
+
+    # Unlock execution.
+    status.exec_lock.release()
+
+
 def interact_prompt(self, intro=None, local={}):
     """Replacement function for 'code.InteractiveConsole.interact'.
 
@@ -418,6 +449,7 @@
                 sys.stdout.write(instance.__str__())
                 sys.stdout.write("\n")
                 return
+
         sys.stdout.write("script = " + repr(script_file) + "\n")
         
sys.stdout.write("----------------------------------------------------------------------------------------------------\n")
         sys.stdout.write(file.read())
@@ -429,7 +461,7 @@
 
     # Execute the script.
     try:
-        execfile(script_file, local)
+        exec_script(script_file, local)
 
     # Catch ctrl-C.
     except KeyboardInterrupt: