click

Merge lp:click/devel into lp:click

  1. devel
  2. Merge into trunk
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 592
Merged at revision: 464
Proposed branch: lp:click/devel
Merge into: lp:click
Diff against target: 295 lines (+127/-12)
9 files modified
bin/click (+24/-0)
click/__init__.py (+3/-0)
click/chroot.py (+7/-4)
click/install.py (+10/-4)
click/tests/test_database.py (+2/-1)
click/tests/test_hooks.py (+1/-0)
click/tests/test_install.py (+48/-1)
debian/changelog (+30/-0)
debian/control (+2/-2)
To merge this branch: bzr merge lp:click/devel
Reviewer Review Type Date Requested Status
Colin Watson Approve
Review via email: mp+280225@code.launchpad.net

Commit message

Click 0.4.41: Various build and test fixes; avoid a couple of corner cases that cause click itself to fail to install.

Description of the change

  * Fix spurious test_sync_without_user_db test failure.
  * Fix test failures under Python 2.
  * Take evasive action in case the conflicting "click" package has been
    installed locally from PyPI (LP: #1486841).
  * Drop use of apt_pkg from click.install, since it's no longer needed
    there (LP: #1510015).
  * Require specific Click version, to avoid gi warnings that fail
    test-suite (LP: #1522608).
  * Set Vcs-* fields to the actual development branch.

To post a comment you must log in.
lp:click/devel updated
592. By Colin Watson

[r=cjwatson] Set Vcs-* fields to the actual development branch.

Revision history for this message
Colin Watson (cjwatson) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'bin/click'
2--- bin/click 2014-03-03 23:03:01 +0000
3+++ bin/click 2015-12-11 01:24:17 +0000
4@@ -28,6 +28,30 @@
5 # Support running from the build tree.
6 sys.path.insert(0, os.path.join(sys.path[0], os.pardir))
7
8+import gi
9+gi.require_version('Click', '0.4')
10+
11+# There is an unfortunate name clash with
12+# https://pypi.python.org/pypi/click; try to detect this and take evasive
13+# action.
14+import click
15+if not getattr(click, "_CLICK_IS_A_PACKAGING_FORMAT_", None):
16+ import site
17+ wrong_click_mods = [
18+ mod for mod in sys.modules if mod.split(".")[0] == "click"]
19+ for mod in wrong_click_mods:
20+ del sys.modules[mod]
21+ try:
22+ user_site_index = sys.path.index(site.getusersitepackages())
23+ except ValueError:
24+ print(
25+ "Cannot start click due to a conflict with a different "
26+ "locally-installed Python 'click' package. Remove it using "
27+ "Python packaging tools and try again.",
28+ file=sys.stderr)
29+ sys.exit(1)
30+ del sys.path[user_site_index]
31+
32 from click import commands
33
34
35
36=== modified file 'click/__init__.py'
37--- click/__init__.py 2013-04-10 15:55:06 +0000
38+++ click/__init__.py 2015-12-11 01:24:17 +0000
39@@ -0,0 +1,3 @@
40+# Marker to help resolve unfortunate name clash between this package and
41+# https://pypi.python.org/pypi/click.
42+_CLICK_IS_A_PACKAGING_FORMAT_ = 1
43
44=== modified file 'click/chroot.py'
45--- click/chroot.py 2015-10-05 11:35:41 +0000
46+++ click/chroot.py 2015-12-11 01:24:17 +0000
47@@ -27,8 +27,11 @@
48 "ClickChrootDoesNotExistException",
49 ]
50
51-import urllib
52-import urllib.request
53+try:
54+ from urllib.error import URLError
55+ from urllib.request import urlopen
56+except ImportError:
57+ from urllib2 import URLError, urlopen
58 import os
59 import pwd
60 import re
61@@ -216,14 +219,14 @@
62 if click_no_local_mirror == '1':
63 return ""
64 try:
65- with urllib.request.urlopen(GEOIP_SERVER) as f:
66+ with urlopen(GEOIP_SERVER) as f:
67 xml_data = f.read()
68 et = ElementTree.fromstring(xml_data)
69 cc = et.find("CountryCode")
70 if not cc:
71 return ""
72 return cc.text.lower()+"."
73- except (ElementTree.ParseError, urllib.error.URLError):
74+ except (ElementTree.ParseError, URLError):
75 pass
76 return ""
77
78
79=== modified file 'click/install.py'
80--- click/install.py 2015-09-17 19:20:07 +0000
81+++ click/install.py 2015-12-11 01:24:17 +0000
82@@ -42,7 +42,6 @@
83
84 from contextlib import closing
85
86-import apt_pkg
87 from debian.debfile import DebFile as _DebFile
88 from debian.debian_support import Version
89 from gi.repository import Click
90@@ -73,9 +72,6 @@
91 self.data._DebPart__member.close()
92
93
94-apt_pkg.init_system()
95-
96-
97 class DebsigVerifyError(Exception):
98 pass
99
100@@ -276,6 +272,16 @@
101 'with system architecture "%s"' %
102 (architecture, dpkg_architecture))
103
104+ # This isn't ideally quick, since it has to decompress the data
105+ # part of the package, but dpkg's path filtering code assumes
106+ # that all paths start with "./" so we must check it before
107+ # passing the package to dpkg.
108+ for data_name in package.data:
109+ if data_name != "." and not data_name.startswith("./"):
110+ raise ClickInstallerAuditError(
111+ 'File name "%s" in package does not start with "./"' %
112+ data_name)
113+
114 if slow:
115 temp_dir = tempfile.mkdtemp(prefix="click")
116 try:
117
118=== modified file 'click/tests/test_database.py'
119--- click/tests/test_database.py 2015-10-06 14:24:01 +0000
120+++ click/tests/test_database.py 2015-12-11 01:24:17 +0000
121@@ -32,6 +32,7 @@
122 import unittest
123
124 from gi.repository import Click, GLib
125+from six import integer_types
126
127 from click.json_helpers import json_array_to_python, json_object_to_python
128 from click.tests.gimock_types import Passwd
129@@ -55,7 +56,7 @@
130 "bar", "1.0", "/path/to/foo/1.0", False)
131
132 def test_hash(self):
133- self.assertIsInstance(self.foo.hash(), int)
134+ self.assertIsInstance(self.foo.hash(), integer_types)
135 self.assertEqual(self.foo.hash(), self.foo_clone.hash())
136 self.assertNotEqual(self.foo.hash(), self.foo_different_version.hash())
137 self.assertNotEqual(self.foo.hash(), self.foo_different_path.hash())
138
139=== modified file 'click/tests/test_hooks.py'
140--- click/tests/test_hooks.py 2014-07-11 17:20:51 +0000
141+++ click/tests/test_hooks.py 2015-12-11 01:24:17 +0000
142@@ -895,6 +895,7 @@
143 ) as (enter, preloads):
144 enter()
145 preloads["click_get_user_home"].return_value = "/home/test-user"
146+ self._setup_hooks_dir(preloads)
147 with mkfile(
148 os.path.join(self.temp_dir, "hooks", "test.hook")) as f:
149 print("User-Level: yes", file=f)
150
151=== modified file 'click/tests/test_install.py'
152--- click/tests/test_install.py 2014-12-03 12:42:21 +0000
153+++ click/tests/test_install.py 2015-12-11 01:24:17 +0000
154@@ -23,19 +23,24 @@
155 ]
156
157
158-from contextlib import contextmanager
159+from contextlib import (
160+ closing,
161+ contextmanager,
162+ )
163 import hashlib
164 import json
165 import os
166 import shutil
167 import stat
168 import subprocess
169+import tarfile
170
171 from unittest import skipUnless
172
173 from debian.deb822 import Deb822
174 from gi.repository import Click
175
176+from click.arfile import ArFile
177 from click.build import ClickBuilder
178 from click.install import (
179 ClickInstaller,
180@@ -50,6 +55,7 @@
181 TestCase,
182 touch,
183 )
184+from click.versions import spec_version
185
186
187 @contextmanager
188@@ -104,6 +110,7 @@
189 script.write(contents)
190 Click.ensuredir(data_dir)
191 for name, path in data_files.items():
192+ Click.ensuredir(os.path.dirname(os.path.join(data_dir, name)))
193 if path is None:
194 touch(os.path.join(data_dir, name))
195 elif os.path.isdir(path):
196@@ -320,6 +327,46 @@
197 ])
198 self.assertEqual(("test-package", "1.0"), installer.audit(path))
199
200+ def test_audit_missing_dot_slash(self):
201+ # Manually construct a package with data paths that do not start
202+ # with "./", which could be used to bypass path filtering.
203+ with self.run_in_subprocess(
204+ "click_get_frameworks_dir") as (enter, preloads):
205+ enter()
206+ path = self.make_fake_package(
207+ control_fields={"Click-Version": "0.2"},
208+ manifest={
209+ "name": "test-package",
210+ "version": "1.0",
211+ "framework": "ubuntu-sdk-13.10",
212+ },
213+ control_scripts={"preinst": static_preinst},
214+ data_files={".click/tmp.ci/manifest": None})
215+ # Repack without the leading "./".
216+ data_dir = os.path.join(self.temp_dir, "fake-package")
217+ data_tar_path = os.path.join(self.temp_dir, "data.tar.gz")
218+ control_tar_path = os.path.join(self.temp_dir, "control.tar.gz")
219+ package_path = '%s.click' % data_dir
220+ with closing(tarfile.TarFile.open(
221+ name=data_tar_path, mode="w:gz", format=tarfile.GNU_FORMAT
222+ )) as data_tar:
223+ data_tar.add(
224+ os.path.join(data_dir, ".click"), arcname=".click")
225+ with ArFile(name=package_path, mode="w") as package:
226+ package.add_magic()
227+ package.add_data("debian-binary", b"2.0\n")
228+ package.add_data(
229+ "_click-binary", ("%s\n" % spec_version).encode("UTF-8"))
230+ package.add_file("control.tar.gz", control_tar_path)
231+ package.add_file("data.tar.gz", data_tar_path)
232+ self._setup_frameworks(preloads, frameworks=["ubuntu-sdk-13.10"])
233+ with mock_quiet_subprocess_call():
234+ installer = ClickInstaller(self.db)
235+ self.assertRaisesRegex(
236+ ClickInstallerAuditError,
237+ 'File name ".click" in package does not start with "./"',
238+ installer.audit, path)
239+
240 def test_audit_broken_md5sums(self):
241 with self.run_in_subprocess(
242 "click_get_frameworks_dir") as (enter, preloads):
243
244=== modified file 'debian/changelog'
245--- debian/changelog 2015-10-06 19:44:52 +0000
246+++ debian/changelog 2015-12-11 01:24:17 +0000
247@@ -1,3 +1,33 @@
248+click (0.4.41) UNRELEASED; urgency=medium
249+
250+ [ Colin Watson ]
251+ * Fix spurious test_sync_without_user_db test failure.
252+ * Fix test failures under Python 2.
253+ * Forbid installing packages with data tarball members whose names do not
254+ start with "./" (LP: #1506467).
255+ * Take evasive action in case the conflicting "click" package has been
256+ installed locally from PyPI (LP: #1486841).
257+ * Drop use of apt_pkg from click.install, since it's no longer needed
258+ there (LP: #1510015).
259+
260+ [ Dimitri John Ledkov ]
261+ * Require specific Click version, to avoid gi warnings that fail
262+ test-suite (LP: #1522608).
263+ * Set Vcs-* fields to the actual development branch.
264+
265+ -- Colin Watson <cjwatson@ubuntu.com> Thu, 15 Oct 2015 12:46:54 +0100
266+
267+click (0.4.40+15.10.20151006-0ubuntu1.1) wily; urgency=medium
268+
269+ * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
270+ can be used to install alternate security policy than what is defined
271+ - click/install.py: Forbid installing packages with data tarball members
272+ whose names do not start with "./". Patch thanks to Colin Watson.
273+ - CVE-2015-XXXX
274+ - LP: #1506467
275+
276+ -- Jamie Strandboge <jamie@ubuntu.com> Thu, 15 Oct 2015 11:13:36 -0500
277+
278 click (0.4.40+15.10.20151006-0ubuntu1) wily; urgency=medium
279
280 [ Michael Vogt ]
281
282=== modified file 'debian/control'
283--- debian/control 2015-07-02 08:54:29 +0000
284+++ debian/control 2015-12-11 01:24:17 +0000
285@@ -4,8 +4,8 @@
286 Maintainer: Colin Watson <cjwatson@ubuntu.com>
287 Standards-Version: 3.9.5
288 Build-Depends: debhelper (>= 9~), dh-autoreconf, intltool, python3:any (>= 3.2), python3-all:any, python3-setuptools, python3-apt, python3-debian, python3-gi, python3:any (>= 3.3) | python3-mock, pep8, python3-pep8, pyflakes, python3-sphinx, pkg-config, valac, gobject-introspection (>= 0.6.7), libgirepository1.0-dev (>= 0.6.7), libglib2.0-dev (>= 2.34), gir1.2-glib-2.0, libjson-glib-dev (>= 0.10), libgee-0.8-dev, libpackagekit-glib2-dev (>= 0.7.2), python3-coverage, python3-six, dh-systemd (>= 1.3)
289-Vcs-Bzr: https://code.launchpad.net/~ubuntu-managed-branches/click/click
290-Vcs-Browser: http://bazaar.launchpad.net/~ubuntu-managed-branches/click/click/files
291+Vcs-Bzr: https://code.launchpad.net/~click-hackers/click/devel
292+Vcs-Browser: http://bazaar.launchpad.net/~click-hackers/click/devel/files
293 X-Python-Version: >= 2.7
294 X-Python3-Version: >= 3.2
295 XS-Testsuite: autopkgtest

Subscribers

People subscribed via source and target branches

to all changes: