[Popcon-developers] Re: Reverting some popcon changes
On Sun, Jan 08, 2006 at 05:21:19PM +0100, Petter Reinholdtsen wrote:
> Yes, it increases the complexity slightly, but we are talking about a
> 112 line shell script, so I believe the complexity is still within
> control.
A 112 line shell script is already too much. We should split or
something.
> >> Do you have an URL to the bug report for this issue? Is it fixed in
> >> the ubuntu package?
> >
> > No, I told it to you and three Ubuntu developpers. No answer so far.
>
> Well, for my part it has drowned in my other email. I suspect the
> chances of getting the issue addressed increases significantly if the
> issue is reported into ubuntus and debians bug tracking system.
Well, it was a security issue so I sent it privately to the relevant
Ubuntu people. Secondly this was not a Debian bug at this time.
> > I explained you 3 times already, at least one ever before you made
> > the changes. Direct to disk skip the sanity checking performed by
> > prepop.pl. This allows a specially crafted popcon submission to
> > write to or create arbitrary files.
>
> Ah, right. That issue. Sorry, but it was lost in my pile of mail
> too, and I had forgotten it. Did not seem like a major issue to me,
> so I focused on other issues instead. I'm implementing a simple fix
> now, just piping the report through prepop.pl instead of writing
> directly.
Well, but now there is a race condition issue when popanal.py run,
because both the CGI and popanal.py modify the database (and also
the find |xargs rm job).
You can probably use cat instead of sendmail with some locking.
Cheers,
Bill.
Reply to: