This checks if the filename of a downloaded file has
been modified (for example by a MITM attack) to contain
slashes. This could mean that the file is compromised
and that the attacker tries to overwrite system files.
this makes sure not to mix objects to prevent a TypeError
TypeError: Can't mix strings and bytes in path components
Fixes#567
Signed-off-by: Maximilian Meister <mmeister@suse.de>
Now, the fullfilename is calculated using the canonname of a
bdep instead of using the bdep's binary attribute (the canonname
and binary attribute can differ (e.g. ConsoleKit-64bit-0.4.6-3.2.ppc.rpm
vs. ::import::ppc64::ConsoleKit-64bit-0.4.6-3.2.ppc.rpm))
We still have to support older urlgrabber versions where the class
"URLGrabber" is an old-style class and therefore we cannot use a "super(...)"
call. This fixes issue #32
given urlgrabber version 3.9.1, MirrorGroup trys to access
grabber.opts, but the derived grabber OscFileGrabber hasn't
this attribute
Signed-off-by: Gui Chen <gui.chen@intel.com>
Unfortunately the class URLGrabError does not define constants for the
different error codes therefore we have to hardcode the errno (alternatively
we can define them in our fetch module).
The most visible change in python3 - removal of print statement and all
the crufty
print >> sys.stderr, foo,
The from __future__ import print_function makes it available in python
2.6
this patch
1.) removes the iteritems/itervalues, which were dropped in py3
items/values are used instead
2.) add an extra list() in a cases the list-based access is needed
(included appending, indexing and so)
3.) changes a sorting idiom in few places
instead of
foo = dict.keys()
foo.sort()
for i in foo:
there is a recommended
for i in sorted(dict.keys()):
4.) in one occassion it removes a if dict.has_key() by simpler
dict.get(key, default)
Downloaded files may not have read permission for everybody.
This doesn't seem to be a problem since the user as well as
root should be able to read them anyhow. This is true unless
the directory where the cache resides is mounted over nfs
with root_squash.
Signed-off-by: Egbert Eich <eich@suse.de>
- util/rpmquery:
* added new methods "is_src", "is_nosrc" to check if the package is
a src rpm or nosrc rpm
* fixed "canonname": this never worked for src- or nosrc rpms
- minor code restructuring
Note:
in order to fetch the cpio archives osc uses "getbinarylist". The
drawback is that "getbinarylist" doesn't generate an ".errors" file
if we're requesting a non-existent filename.
Some projects use the same gpg key. To avoid osc from quitting when
building against two or more such projects at the same time ignore
gpg key import errors as long as at least one key could be imported.