Message12944

Author	jeff.allen
Recipients	alexgobbo, jeff.allen, zyasoft
Date	2020-01-30.08:16:45
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1580372207.03.0.446675654174.issue2846@roundup.psfhosted.org>
In-reply-to

Content
If I perform the module creation (on engine creation) unconditionally, I get a behaviour quite similar to Python script execution from the command-line and standard eval in the REPL: >>> from javax.script import * >>> engine = ScriptEngineManager().getEngineByName("python") >>> c = SimpleScriptContext() >>> engine.eval("print globals().keys()") ['__builtins__', '__doc__', '__name__', '__package__'] >>> engine.eval("print __name__") __main__ So __name__ == "__main__" and a module with the engine's name space is added to sys.modules. This does not otherwise interfere with the thread-bound globals/locals, so although I don't understand the use case for it, I feel this can't have broken it. I do understand the use case for swapping the name space, when a Bindings object (or a ScriptContext) is given explicitly. These behave (as before) parallel with exec/eval when explicitly given a dictionary: >>> engine.eval("print globals().keys()", c) ['__builtins__'] >>> engine.eval("print __name__", c) __builtin__ The isolation of name spaces supports re-use of the engine, but there is no security value in it. With an explicit Bindings or ScriptContext, the namespace of the engine is reachable via sys.modules: >>> engine.eval("import sys; print sys.modules['__main__'].__dict__.keys()", c) ['__builtins__', '__doc__', '__name__', '__package__'] Now in the code base at https://hg.python.org/jython/rev/58d45a33c32f .

If I perform the module creation (on engine creation) unconditionally, I get a behaviour quite similar to Python script execution from the command-line and standard eval in the REPL:

>>> from javax.script import *
>>> engine = ScriptEngineManager().getEngineByName("python")
>>> c = SimpleScriptContext()
>>> engine.eval("print globals().keys()")
['__builtins__', '__doc__', '__name__', '__package__']
>>> engine.eval("print __name__")
__main__

So __name__ == "__main__" and a module with the engine's name space is added to sys.modules.

This does not otherwise interfere with the thread-bound globals/locals, so although I don't understand the use case for it, I feel this can't have broken it.

I *do* understand the use case for swapping the name space, when a Bindings object (or a ScriptContext) is given explicitly. These behave (as before) parallel with exec/eval when explicitly given a dictionary:

>>> engine.eval("print globals().keys()", c)
['__builtins__']
>>> engine.eval("print __name__", c)
__builtin__

The isolation of name spaces supports re-use of the engine, but there is no security value in it. With an explicit Bindings or ScriptContext, the namespace of the engine is reachable via sys.modules:

>>> engine.eval("import sys; print sys.modules['__main__'].__dict__.keys()", c)
['__builtins__', '__doc__', '__name__', '__package__']

Now in the code base at https://hg.python.org/jython/rev/58d45a33c32f .

History
Date	User	Action	Args
2020-01-30 08:16:47	jeff.allen	set	messageid: <1580372207.03.0.446675654174.issue2846@roundup.psfhosted.org>
2020-01-30 08:16:47	jeff.allen	set	recipients: + jeff.allen, zyasoft, alexgobbo
2020-01-30 08:16:46	jeff.allen	link	issue2846 messages
2020-01-30 08:16:45	jeff.allen	create