A /debug/run_python endpoint for staff to test the sandboxing of Python code.

ec7a04fd · Ned Batchelder · df17c0c7 · ec7a04fd · ec7a04fd · ec7a04fd
Commit ec7a04fd authored Feb 22, 2013 by Ned Batchelder
Showing with 56 additions and 0 deletions

lms/djangoapps/debug/__init__.py
+0 -0

lms/djangoapps/debug/models.py
+3 -0

lms/djangoapps/debug/views.py
+29 -0

lms/envs/common.py
+1 -0

lms/templates/debug/run_python_form.html
+19 -0

lms/urls.py
+4 -0

No files found.
--- a/lms/djangoapps/debug/__init__.py
+++ b/lms/djangoapps/debug/__init__.py
--- a/lms/djangoapps/debug/models.py
+++ b/lms/djangoapps/debug/models.py
+from django.db import models
+
+# Create your models here.
--- a/lms/djangoapps/debug/views.py
+++ b/lms/djangoapps/debug/views.py
+"""Views for debugging and diagnostics"""
+
+import pprint
+
+from django.http import Http404
+from django.contrib.auth.decorators import login_required
+from django_future.csrf import ensure_csrf_cookie, csrf_exempt
+from mitxmako.shortcuts import render_to_response
+
+from codejail.safe_exec import safe_exec
+
+@login_required
+@ensure_csrf_cookie
+def run_python(request):
+    if not request.user.is_staff:
+        raise Http404
+    c = {}
+    c['code'] = ''
+    c['results'] = None
+    if request.method == 'POST':
+        py_code = c['code'] = request.POST.get('code')
+        g, l = {}, {}
+        try:
+            safe_exec(py_code, g, l)
+        except Exception as e:
+            c['results'] = str(e)
+        else:
+            c['results'] = pprint.pformat(l)
+    return render_to_response("debug/run_python_form.html", c)
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -589,6 +589,7 @@ INSTALLED_APPS = (

    # For testing
    'django.contrib.admin',   # only used in DEBUG mode
+    'debug',

    # Discussion forums
    'django_comment_client',

--- a/lms/templates/debug/run_python_form.html
+++ b/lms/templates/debug/run_python_form.html
+<html><body>
+<div>
+<p>Python:</p>
+<form method='post'>
+    <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
+    <div>
+        <textarea name='code' rows='20' cols='80'>${code|h}</textarea>
+    </div>
+    <input type='submit' value='Run it!'/>
+</form>
+</div>
+%if results:
+<div>
+    <p>Results:</p>
+    <pre>
+${results|h}
+</pre>
+</div>
+%endif
--- a/lms/urls.py
+++ b/lms/urls.py
@@ -358,6 +358,10 @@ urlpatterns += (
    url(r'^comm/foldit_ops', 'foldit.views.foldit_ops', name="foldit_ops"),
 )

+urlpatterns += (
+    url(r'^debug/run_python', 'debug.views.run_python'),
+)
+
 urlpatterns = patterns(*urlpatterns)

 if settings.DEBUG: