[FIX] odoo,base: new Python 3.11 opcodes

When python expression is evaluated in odoo form an action or qweb, we are checking the opcodes generated by the evaluation of this code. We do such a verification, because the code from actions and templates can be written by someone having not access to the server and we don't want to let them perform actions out of the scope of their database. In python 3.11, some opcodes from previous versions of Python have been renamed, grouped or sepcified. There are also new ones that have been introduce. In this PR, we are whitelisting the new ones that are needed by odoo to properly work in this version of Python. Part-of: odoo#112450
acsone · Feb 14, 2023 · 1e35315 · 1e35315
1 parent 8095e3f
commit 1e35315
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/odoo/addons/base/models/ir_qweb.py b/odoo/addons/base/models/ir_qweb.py
@@ -406,13 +406,24 @@
     'CALL_METHOD', 'LOAD_METHOD',
 
     'GET_ITER', 'FOR_ITER', 'YIELD_VALUE',
-    'JUMP_FORWARD', 'JUMP_ABSOLUTE',
+    'JUMP_FORWARD', 'JUMP_ABSOLUTE', 'JUMP_BACKWARD',
     'JUMP_IF_FALSE_OR_POP', 'JUMP_IF_TRUE_OR_POP', 'POP_JUMP_IF_FALSE', 'POP_JUMP_IF_TRUE',
 
     'LOAD_NAME', 'LOAD_ATTR',
     'LOAD_FAST', 'STORE_FAST', 'UNPACK_SEQUENCE',
     'STORE_SUBSCR',
     'LOAD_GLOBAL',
+    # Following opcodes were added in 3.11 https://docs.python.org/3/whatsnew/3.11.html#new-opcodes
+    'RESUME',
+    'CALL',
+    'PRECALL',
+    'POP_JUMP_FORWARD_IF_FALSE',
+    'PUSH_NULL',
+    'POP_JUMP_FORWARD_IF_TRUE', 'KW_NAMES',
+    'FORMAT_VALUE', 'BUILD_STRING',
+    'RETURN_GENERATOR',
+    'POP_JUMP_BACKWARD_IF_FALSE',
+    'SWAP',
 ])) - _BLACKLIST
 
 

diff --git a/odoo/tools/safe_eval.py b/odoo/tools/safe_eval.py
@@ -66,6 +66,10 @@ def to_opcodes(opnames, _opmap=opmap):
     # 3.6: literal map with constant keys https://bugs.python.org/issue27140
     'BUILD_CONST_KEY_MAP',
     'LIST_EXTEND', 'SET_UPDATE',
+    # 3.11 replace DUP_TOP, DUP_TOP_TWO, ROT_TWO, ROT_THREE, ROT_FOUR
+    'COPY', 'SWAP',
+    # Added in 3.11 https://docs.python.org/3/whatsnew/3.11.html#new-opcodes
+    'RESUME',
 ])) - _BLACKLIST
 
 # operations which are both binary and inplace, same order as in doc'
@@ -88,6 +92,8 @@ def to_opcodes(opnames, _opmap=opmap):
     'DICT_MERGE', 'DICT_UPDATE',
     # Basically used in any "generator literal"
     'GEN_START',  # added in 3.10 but already removed from 3.11.
+    # Added in 3.11, replacing all BINARY_* and INPLACE_*
+    'BINARY_OP',
 ])) - _BLACKLIST
 
 _SAFE_OPCODES = _EXPR_OPCODES.union(to_opcodes([
@@ -114,6 +120,23 @@ def to_opcodes(opnames, _opmap=opmap):
     'LOAD_GLOBAL',
 
     'RERAISE', 'JUMP_IF_NOT_EXC_MATCH',
+
+    # Following opcodes were Added in 3.11
+    # replacement of opcodes CALL_FUNCTION, CALL_FUNCTION_KW, CALL_METHOD
+    'PUSH_NULL', 'PRECALL', 'CALL', 'KW_NAMES',
+    # replacement of POP_JUMP_IF_TRUE and POP_JUMP_IF_FALSE
+    'POP_JUMP_FORWARD_IF_FALSE', 'POP_JUMP_FORWARD_IF_TRUE',
+    'POP_JUMP_BACKWARD_IF_FALSE', 'POP_JUMP_BACKWARD_IF_TRUE',
+    #replacement of JUMP_ABSOLUTE
+    'JUMP_BACKWARD',
+    #replacement of JUMP_IF_NOT_EXC_MATCH
+    'CHECK_EXC_MATCH',
+    # new opcodes
+    'RETURN_GENERATOR',
+    'PUSH_EXC_INFO',
+    'NOP',
+    'FORMAT_VALUE', 'BUILD_STRING'
+
 ])) - _BLACKLIST
 
 _logger = logging.getLogger(__name__)