Re: Bug#230704: zope-testcase: SOFTWARE_HOME and INSTANCE_HOME can break install.
G'day,
----- Original Message -----
From: "Tommi Virtanen" <tv@tv.debian.net>
To: "Donovan Baarda" <abo@minkirri.apana.org.au>
Cc: "Andreas Tille" <tillea@rki.de>; <230704@bugs.debian.org>; "Debian
Python List" <debian-python@lists.debian.org>
Sent: Thursday, February 05, 2004 7:29 PM
Subject: Re: Bug#230704: zope-testcase: SOFTWARE_HOME and INSTANCE_HOME can
break install.
> Donovan Baarda wrote:
> > I have a feeling PYTHONPATH should be unset in all python postinst and
> > maybe prerm scripts (something to add to the python policy?). A manually
> > set PYTHONPATH can do evil things to any python package's postinst and
> > prerm.
>
> A manually set PATH can do evil things to any package's postinsts and
> prerm. You break it, you get to keep both halves.
I was going to reply "this is why many packages sanitize PATH in their
scripts", but after checking through /var/lib/dpkg/info/* it seems they
don't.
Does dpkg do any path sanitization itself? I'm kinda surprised if it
doesn't, because as you say many things can break.
Most security sensitive scripts do sanitize PATH before they execute,
because PATH munging can be used as a security attack on scripts that don't.
I would have thought dpkg would fall into that catagory.
ABO
Reply to: