Thread: [SQLObject] Fixing debian bug 605185
SQLObject is a Python ORM.
Brought to you by:
ianbicking,
phd
From: Neil M. <drn...@gm...> - 2011-11-01 13:59:34
Attachments:
sqlobject_605185.diff
|
Debian currently has a bug against sqlobject for an insecure use of PYTHONPATH in the docs/rebuild script - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605185 . While it is a minor issue, it's easy enough to do the right thing, so seems worth fixing. Patch attached. -- Neil Muller drn...@gm... I've got a gmail account. Why haven't I become cool? |
From: Oleg B. <ph...@ph...> - 2011-11-01 14:22:03
|
On Tue, Nov 01, 2011 at 03:59:23PM +0200, Neil Muller wrote: > Debian currently has a bug against sqlobject for an insecure use of > PYTHONPATH in the docs/rebuild script - > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605185 . While it is > a minor issue, it's easy enough to do the right thing, so seems worth > fixing. > > Patch attached. > > -- > Neil Muller > drn...@gm... Thank you! > I've got a gmail account. Why haven't I become cool? > Index: docs/rebuild > =================================================================== > --- docs/rebuild (revision 4465) > +++ docs/rebuild (working copy) > @@ -3,7 +3,7 @@ > here=`pwd` > parent=`dirname $here` > echo "Adding $parent to \$PYTHONPATH" > -export PYTHONPATH=$parent:$PYTHONPATH > +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH} Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't it be just ${PYTHONPATH:+$PYTHONPATH} ? Oleg. -- Oleg Broytman http://phdru.name/ ph...@ph... Programmers don't die, they just GOSUB without RETURN. |
From: Oleg B. <ph...@ph...> - 2011-11-01 15:02:50
|
On Tue, Nov 01, 2011 at 06:07:39PM +0400, Oleg Broytman wrote: > > +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH} > > Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't > it be just ${PYTHONPATH:+$PYTHONPATH} ? Ah, you want that ':' to be used with $PYTHONPATH - $parent:$PYTHONPATH when $PYTHONPATH is not empty. I see now! Oleg. -- Oleg Broytman http://phdru.name/ ph...@ph... Programmers don't die, they just GOSUB without RETURN. |
From: Neil M. <drn...@gm...> - 2011-11-01 14:31:55
|
On 1 November 2011 16:07, Oleg Broytman <ph...@ph...> wrote: > On Tue, Nov 01, 2011 at 03:59:23PM +0200, Neil Muller wrote: >> Debian currently has a bug against sqlobject for an insecure use of >> PYTHONPATH in the docs/rebuild script - >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605185 . While it is >> a minor issue, it's easy enough to do the right thing, so seems worth >> fixing. >> >> Patch attached. >> >> -- >> Neil Muller >> drn...@gm... > > Thank you! > >> I've got a gmail account. Why haven't I become cool? > >> Index: docs/rebuild >> =================================================================== >> --- docs/rebuild (revision 4465) >> +++ docs/rebuild (working copy) >> @@ -3,7 +3,7 @@ >> here=`pwd` >> parent=`dirname $here` >> echo "Adding $parent to \$PYTHONPATH" >> -export PYTHONPATH=$parent:$PYTHONPATH >> +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH} > > Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't > it be just ${PYTHONPATH:+$PYTHONPATH} ? It does look a little strange, but it is correct. It's the POSIX shell alternate value syntax with ":$PYTHONPATH" as the alternate value. If the ':' is excluded, there's no separator between $parent and $PYTHONPATH when PYTHONPATH is set, and the separator must only be added when PYTHONPATH is already set to fix the bug. -- Neil Muller drn...@gm... I've got a gmail account. Why haven't I become cool? |
From: Oleg B. <ph...@ph...> - 2011-11-01 14:41:11
|
On Tue, Nov 01, 2011 at 04:31:43PM +0200, Neil Muller wrote: > On 1 November 2011 16:07, Oleg Broytman <ph...@ph...> wrote: > > Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't > > it be just ${PYTHONPATH:+$PYTHONPATH} ? > > It does look a little strange, but it is correct. > > It's the POSIX shell alternate value syntax with ":$PYTHONPATH" as the > alternate value. If the ':' is excluded, there's no separator between > $parent and $PYTHONPATH when PYTHONPATH is set, and the separator must > only be added when PYTHONPATH is already set to fix the bug. Got it. Thank you! Oleg. -- Oleg Broytman http://phdru.name/ ph...@ph... Programmers don't die, they just GOSUB without RETURN. |
From: Oleg B. <ph...@ph...> - 2011-11-02 19:04:49
|
On Tue, Nov 01, 2011 at 03:59:23PM +0200, Neil Muller wrote: > +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH} Applied and committed in the revision 4466 in the trunk. Will be in version 1.2. Thank you! You can report to the Debian bug tracker the bug is fixed upstream: http://sourceforge.net/mailarchive/forum.php?thread_name=E1RLg2r-0000jo-GB%40webwareforpython.org&forum_name=sqlobject-cvs Oleg. -- Oleg Broytman http://phdru.name/ ph...@ph... Programmers don't die, they just GOSUB without RETURN. |
From: Oleg B. <ph...@ph...> - 2011-11-02 19:13:13
|
I also did two commits fixing other minor problems with the script. Oleg. -- Oleg Broytman http://phdru.name/ ph...@ph... Programmers don't die, they just GOSUB without RETURN. |