headers
Neil Muller | 1 Nov 2011 14:59
Picon

Fixing debian bug 605185

Debian currently has a bug against sqlobject for an insecure use of
PYTHONPATH in the docs/rebuild script -
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605185 . While it is
a minor issue, it's easy enough to do the right thing, so seems worth
fixing.

Patch attached.

--

-- 
Neil Muller
drnlmuller <at> gmail.com

I've got a gmail account. Why haven't I become cool?
Attachment (sqlobject_605185.diff): text/x-diff, 458 bytes
------------------------------------------------------------------------------
RSA&reg; Conference 2012
Save &#36;700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
sqlobject-discuss mailing list
sqlobject-discuss <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss
Permalink | Reply |
headers
Oleg Broytman | 1 Nov 2011 15:07
X-Face
Favicon
Gravatar

Re: Fixing debian bug 605185

On Tue, Nov 01, 2011 at 03:59:23PM +0200, Neil Muller wrote:
> Debian currently has a bug against sqlobject for an insecure use of
> PYTHONPATH in the docs/rebuild script -
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605185 . While it is
> a minor issue, it's easy enough to do the right thing, so seems worth
> fixing.
> 
> Patch attached.
> 
> -- 
> Neil Muller
> drnlmuller <at> gmail.com

   Thank you!

> I've got a gmail account. Why haven't I become cool?

> Index: docs/rebuild
> ===================================================================
> --- docs/rebuild	(revision 4465)
> +++ docs/rebuild	(working copy)
>  <at>  <at>  -3,7 +3,7  <at>  <at> 
>  here=`pwd`
>  parent=`dirname $here`
>  echo "Adding $parent to \$PYTHONPATH"
> -export PYTHONPATH=$parent:$PYTHONPATH
> +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH}

   Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't
it be just ${PYTHONPATH:+$PYTHONPATH} ?
(Continue reading)

Permalink | Reply |
headers
Neil Muller | 1 Nov 2011 15:31
Picon

Re: Fixing debian bug 605185

On 1 November 2011 16:07, Oleg Broytman <phd <at> phdru.name> wrote:
> On Tue, Nov 01, 2011 at 03:59:23PM +0200, Neil Muller wrote:
>> Debian currently has a bug against sqlobject for an insecure use of
>> PYTHONPATH in the docs/rebuild script -
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605185 . While it is
>> a minor issue, it's easy enough to do the right thing, so seems worth
>> fixing.
>>
>> Patch attached.
>>
>> --
>> Neil Muller
>> drnlmuller <at> gmail.com
>
>   Thank you!
>
>> I've got a gmail account. Why haven't I become cool?
>
>> Index: docs/rebuild
>> ===================================================================
>> --- docs/rebuild      (revision 4465)
>> +++ docs/rebuild      (working copy)
>>  <at>  <at>  -3,7 +3,7  <at>  <at> 
>>  here=`pwd`
>>  parent=`dirname $here`
>>  echo "Adding $parent to \$PYTHONPATH"
>> -export PYTHONPATH=$parent:$PYTHONPATH
>> +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH}
>
>   Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't
(Continue reading)

Permalink | Reply |
headers
Oleg Broytman | 1 Nov 2011 15:41
X-Face
Favicon
Gravatar

Re: Fixing debian bug 605185

On Tue, Nov 01, 2011 at 04:31:43PM +0200, Neil Muller wrote:
> On 1 November 2011 16:07, Oleg Broytman <phd <at> phdru.name> wrote:
> >   Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't
> > it be just ${PYTHONPATH:+$PYTHONPATH} ?
> 
> It does look a little strange, but it is correct.
> 
> It's the POSIX shell alternate value syntax with ":$PYTHONPATH" as the
> alternate value. If the ':' is excluded,  there's no separator between
> $parent and $PYTHONPATH when PYTHONPATH is set, and the separator must
> only be added when PYTHONPATH is already set to fix the bug.

   Got it. Thank you!

Oleg.
--

-- 
     Oleg Broytman            http://phdru.name/            phd <at> phdru.name
           Programmers don't die, they just GOSUB without RETURN.

------------------------------------------------------------------------------
RSA&reg; Conference 2012
Save &#36;700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
Permalink | Reply |
headers
Oleg Broytman | 1 Nov 2011 15:10
X-Face
Favicon
Gravatar

Re: Fixing debian bug 605185

On Tue, Nov 01, 2011 at 06:07:39PM +0400, Oleg Broytman wrote:
> > +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH}
> 
>    Strange syntax ${PYTHONPATH:+:$PYTHONPATH} . Are you sure? Shouldn't
> it be just ${PYTHONPATH:+$PYTHONPATH} ?

   Ah, you want that ':' to be used with $PYTHONPATH -
$parent:$PYTHONPATH when $PYTHONPATH is not empty. I see now!

Oleg.
--

-- 
     Oleg Broytman            http://phdru.name/            phd <at> phdru.name
           Programmers don't die, they just GOSUB without RETURN.

------------------------------------------------------------------------------
RSA&reg; Conference 2012
Save &#36;700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
Permalink | Reply |
headers
Oleg Broytman | 2 Nov 2011 20:04
X-Face
Favicon
Gravatar

Re: Fixing debian bug 605185

On Tue, Nov 01, 2011 at 03:59:23PM +0200, Neil Muller wrote:
> +export PYTHONPATH=$parent${PYTHONPATH:+:$PYTHONPATH}

   Applied and committed in the revision 4466 in the trunk. Will be in
version 1.2. Thank you! You can report to the Debian bug tracker the bug
is fixed upstream:
http://sourceforge.net/mailarchive/forum.php?thread_name=E1RLg2r-0000jo-GB%40webwareforpython.org&forum_name=sqlobject-cvs

Oleg.
--

-- 
     Oleg Broytman            http://phdru.name/            phd <at> phdru.name
           Programmers don't die, they just GOSUB without RETURN.

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
Permalink | Reply |
headers
Oleg Broytman | 2 Nov 2011 20:13
X-Face
Favicon
Gravatar

Re: Fixing docs/rebuild script (was: debian bug 605185)

I also did two commits fixing other minor problems with the script.

Oleg.
--

-- 
     Oleg Broytman            http://phdru.name/            phd <at> phdru.name
           Programmers don't die, they just GOSUB without RETURN.

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
Permalink | Reply |

Gmane