PyPI - RestrictedPython - Versions diffs - 8.2__tar.gz → 8.3__tar.gz - Mend

RestrictedPython 8.2tar.gz → 8.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (107) hide show

{restrictedpython-8.2 → restrictedpython-8.3}/CHANGES.rst RENAMED Viewed

@@ -1,6 +1,23 @@
 Changes
 =======
+8.3 (2026-06-16)
+----------------
+- Switch to PyPI Trusted Publishing for the package release process
+- Also validate positional-only argument names (parameters before ``/``) so
+  they cannot start with an underscore, closing a sandbox escape where a
+  positional-only parameter could shadow an injected protected name such as
+  ``_getattr_``, ``_getitem_``, ``_write_`` or ``_print_``.
+8.3a1.dev0 (2026-05-29)
+-----------------------
+- Allow to use the package with Python 3.15 -- Caution: No security audit has been done so far.
 8.2 (2026-05-29)
 ----------------

{restrictedpython-8.2 → restrictedpython-8.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: RestrictedPython
-Version: 8.2
+Version: 8.3
 Summary: RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment.
 Author-email: Zope Foundation and contributors <zope-dev@zope.dev>
 Maintainer-email: Plone Foundation and contributors <zope-dev@zope.dev>
@@ -21,7 +21,7 @@ Classifier: Programming Language :: Python :: 3.13
 Classifier: Programming Language :: Python :: 3.14
 Classifier: Programming Language :: Python :: Implementation :: CPython
 Classifier: Topic :: Security
-Requires-Python: <3.15,>=3.10
+Requires-Python: <3.16,>=3.10
 Description-Content-Type: text/x-rst
 License-File: LICENSE.txt
 Provides-Extra: test
@@ -123,6 +123,23 @@ the documentation `Contributing page
 Changes
 =======
+8.3 (2026-06-16)
+----------------
+- Switch to PyPI Trusted Publishing for the package release process
+- Also validate positional-only argument names (parameters before ``/``) so
+  they cannot start with an underscore, closing a sandbox escape where a
+  positional-only parameter could shadow an injected protected name such as
+  ``_getattr_``, ``_getitem_``, ``_write_`` or ``_print_``.
+8.3a1.dev0 (2026-05-29)
+-----------------------
+- Allow to use the package with Python 3.15 -- Caution: No security audit has been done so far.
 8.2 (2026-05-29)
 ----------------

{restrictedpython-8.2 → restrictedpython-8.3}/pyproject.toml RENAMED Viewed

@@ -9,7 +9,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "RestrictedPython"
-version = "8.2"
+version = "8.3"
 description = "RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment."
 license = "ZPL-2.1"
 classifiers = [
@@ -26,7 +26,7 @@ classifiers = [
     "Topic :: Security",
 ]
 dynamic = ["readme"]
-requires-python = ">=3.10, <3.15"
+requires-python = ">=3.10, <3.16"
 authors = [
     {name = "Zope Foundation and contributors",email = "zope-dev@zope.dev"},
 ]
@@ -83,3 +83,7 @@ directory = "parts/htmlcov"
 [tool.setuptools.dynamic]
 readme = {file = ["README.rst", "CHANGES.rst"]}
+[tool.zest-releaser]
+create-wheel = false
+upload-pypi = false

{restrictedpython-8.2 → restrictedpython-8.3}/src/RestrictedPython/transformer.py RENAMED Viewed

@@ -387,6 +387,9 @@ class RestrictingNodeTransformer(ast.NodeTransformer):
             self.error(node, f'"{name}" is a reserved name.')
     def check_function_argument_names(self, node):
+        for arg in node.args.posonlyargs:
+            self.check_name(node, arg.arg)
         for arg in node.args.args:
             self.check_name(node, arg.arg)

{restrictedpython-8.2 → restrictedpython-8.3}/src/RestrictedPython.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: RestrictedPython
-Version: 8.2
+Version: 8.3
 Summary: RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment.
 Author-email: Zope Foundation and contributors <zope-dev@zope.dev>
 Maintainer-email: Plone Foundation and contributors <zope-dev@zope.dev>
@@ -21,7 +21,7 @@ Classifier: Programming Language :: Python :: 3.13
 Classifier: Programming Language :: Python :: 3.14
 Classifier: Programming Language :: Python :: Implementation :: CPython
 Classifier: Topic :: Security
-Requires-Python: <3.15,>=3.10
+Requires-Python: <3.16,>=3.10
 Description-Content-Type: text/x-rst
 License-File: LICENSE.txt
 Provides-Extra: test
@@ -123,6 +123,23 @@ the documentation `Contributing page
 Changes
 =======
+8.3 (2026-06-16)
+----------------
+- Switch to PyPI Trusted Publishing for the package release process
+- Also validate positional-only argument names (parameters before ``/``) so
+  they cannot start with an underscore, closing a sandbox escape where a
+  positional-only parameter could shadow an injected protected name such as
+  ``_getattr_``, ``_getitem_``, ``_write_`` or ``_print_``.
+8.3a1.dev0 (2026-05-29)
+-----------------------
+- Allow to use the package with Python 3.15 -- Caution: No security audit has been done so far.
 8.2 (2026-05-29)
 ----------------

{restrictedpython-8.2 → restrictedpython-8.3}/tests/transformer/test_functiondef.py RENAMED Viewed

@@ -29,12 +29,30 @@ def test_RestrictingNodeTransformer__visit_FunctionDef__4():
     assert result.errors == (functiondef_err_msg,)
+def test_positional_only_arg_with_underscore_is_rejected():
+    """It prevents positional-only arguments starting with `_`."""
+    result = compile_restricted_exec("def foo(_bad, /): pass")
+    assert result.errors == (functiondef_err_msg,)
+def test_positional_only_arg_with_default_underscore_is_rejected():
+    """It prevents positional-only arguments with an underscore default."""
+    result = compile_restricted_exec("def foo(_bad=1, /): pass")
+    assert result.errors == (functiondef_err_msg,)
 def test_RestrictingNodeTransformer__visit_FunctionDef__7():
     """It prevents `_` function arguments together with a single `*`."""
     result = compile_restricted_exec("def foo(good, *, _bad): pass")
     assert result.errors == (functiondef_err_msg,)
+def test_positional_only_lambda_arg_with_underscore_is_rejected():
+    """It prevents positional-only lambda arguments starting with `_`."""
+    result = compile_restricted_exec("f = lambda _bad, /: None")
+    assert result.errors == (functiondef_err_msg,)
 BLACKLISTED_FUNC_NAMES_CALL_TEST = """
 def __init__(test):
     test

{restrictedpython-8.2 → restrictedpython-8.3}/tox.ini RENAMED Viewed

@@ -10,6 +10,7 @@ envlist =
     py312
     py313
     py314
+    py315
     docs
     coverage
     py311-datetime
@@ -19,6 +20,7 @@ envlist =
 usedevelop = true
 package = wheel
 wheel_build_env = .pkg
+pip_pre = py315: true
 deps =
     setuptools >= 78.1.1,< 82
     datetime: DateTime