click

Merge lp:click/devel into lp:click

  1. devel
  2. Merge into trunk
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 592
Merged at revision: 464
Proposed branch: lp:click/devel
Merge into: lp:click
Diff against target: 295 lines (+127/-12)
9 files modified
bin/click (+24/-0)
click/__init__.py (+3/-0)
click/chroot.py (+7/-4)
click/install.py (+10/-4)
click/tests/test_database.py (+2/-1)
click/tests/test_hooks.py (+1/-0)
click/tests/test_install.py (+48/-1)
debian/changelog (+30/-0)
debian/control (+2/-2)
To merge this branch: bzr merge lp:click/devel
Reviewer Review Type Date Requested Status
Colin Watson Approve
Review via email: mp+280225@code.launchpad.net

Commit message

Click 0.4.41: Various build and test fixes; avoid a couple of corner cases that cause click itself to fail to install.

Description of the change

  * Fix spurious test_sync_without_user_db test failure.
  * Fix test failures under Python 2.
  * Take evasive action in case the conflicting "click" package has been
    installed locally from PyPI (LP: #1486841).
  * Drop use of apt_pkg from click.install, since it's no longer needed
    there (LP: #1510015).
  * Require specific Click version, to avoid gi warnings that fail
    test-suite (LP: #1522608).
  * Set Vcs-* fields to the actual development branch.

To post a comment you must log in.
lp:click/devel updated
592. By Colin Watson

[r=cjwatson] Set Vcs-* fields to the actual development branch.

Revision history for this message
Colin Watson (cjwatson) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'bin/click'
--- bin/click 2014-03-03 23:03:01 +0000
+++ bin/click 2015-12-11 01:24:17 +0000
@@ -28,6 +28,30 @@
28# Support running from the build tree.28# Support running from the build tree.
29sys.path.insert(0, os.path.join(sys.path[0], os.pardir))29sys.path.insert(0, os.path.join(sys.path[0], os.pardir))
3030
31import gi
32gi.require_version('Click', '0.4')
33
34# There is an unfortunate name clash with
35# https://pypi.python.org/pypi/click; try to detect this and take evasive
36# action.
37import click
38if not getattr(click, "_CLICK_IS_A_PACKAGING_FORMAT_", None):
39 import site
40 wrong_click_mods = [
41 mod for mod in sys.modules if mod.split(".")[0] == "click"]
42 for mod in wrong_click_mods:
43 del sys.modules[mod]
44 try:
45 user_site_index = sys.path.index(site.getusersitepackages())
46 except ValueError:
47 print(
48 "Cannot start click due to a conflict with a different "
49 "locally-installed Python 'click' package. Remove it using "
50 "Python packaging tools and try again.",
51 file=sys.stderr)
52 sys.exit(1)
53 del sys.path[user_site_index]
54
31from click import commands55from click import commands
3256
3357
3458
=== modified file 'click/__init__.py'
--- click/__init__.py 2013-04-10 15:55:06 +0000
+++ click/__init__.py 2015-12-11 01:24:17 +0000
@@ -0,0 +1,3 @@
1# Marker to help resolve unfortunate name clash between this package and
2# https://pypi.python.org/pypi/click.
3_CLICK_IS_A_PACKAGING_FORMAT_ = 1
04
=== modified file 'click/chroot.py'
--- click/chroot.py 2015-10-05 11:35:41 +0000
+++ click/chroot.py 2015-12-11 01:24:17 +0000
@@ -27,8 +27,11 @@
27 "ClickChrootDoesNotExistException",27 "ClickChrootDoesNotExistException",
28 ]28 ]
2929
30import urllib30try:
31import urllib.request31 from urllib.error import URLError
32 from urllib.request import urlopen
33except ImportError:
34 from urllib2 import URLError, urlopen
32import os35import os
33import pwd36import pwd
34import re37import re
@@ -216,14 +219,14 @@
216 if click_no_local_mirror == '1':219 if click_no_local_mirror == '1':
217 return ""220 return ""
218 try:221 try:
219 with urllib.request.urlopen(GEOIP_SERVER) as f:222 with urlopen(GEOIP_SERVER) as f:
220 xml_data = f.read()223 xml_data = f.read()
221 et = ElementTree.fromstring(xml_data)224 et = ElementTree.fromstring(xml_data)
222 cc = et.find("CountryCode")225 cc = et.find("CountryCode")
223 if not cc:226 if not cc:
224 return ""227 return ""
225 return cc.text.lower()+"."228 return cc.text.lower()+"."
226 except (ElementTree.ParseError, urllib.error.URLError):229 except (ElementTree.ParseError, URLError):
227 pass230 pass
228 return ""231 return ""
229232
230233
=== modified file 'click/install.py'
--- click/install.py 2015-09-17 19:20:07 +0000
+++ click/install.py 2015-12-11 01:24:17 +0000
@@ -42,7 +42,6 @@
4242
43from contextlib import closing43from contextlib import closing
4444
45import apt_pkg
46from debian.debfile import DebFile as _DebFile45from debian.debfile import DebFile as _DebFile
47from debian.debian_support import Version46from debian.debian_support import Version
48from gi.repository import Click47from gi.repository import Click
@@ -73,9 +72,6 @@
73 self.data._DebPart__member.close()72 self.data._DebPart__member.close()
7473
7574
76apt_pkg.init_system()
77
78
79class DebsigVerifyError(Exception):75class DebsigVerifyError(Exception):
80 pass76 pass
8177
@@ -276,6 +272,16 @@
276 'with system architecture "%s"' %272 'with system architecture "%s"' %
277 (architecture, dpkg_architecture))273 (architecture, dpkg_architecture))
278274
275 # This isn't ideally quick, since it has to decompress the data
276 # part of the package, but dpkg's path filtering code assumes
277 # that all paths start with "./" so we must check it before
278 # passing the package to dpkg.
279 for data_name in package.data:
280 if data_name != "." and not data_name.startswith("./"):
281 raise ClickInstallerAuditError(
282 'File name "%s" in package does not start with "./"' %
283 data_name)
284
279 if slow:285 if slow:
280 temp_dir = tempfile.mkdtemp(prefix="click")286 temp_dir = tempfile.mkdtemp(prefix="click")
281 try:287 try:
282288
=== modified file 'click/tests/test_database.py'
--- click/tests/test_database.py 2015-10-06 14:24:01 +0000
+++ click/tests/test_database.py 2015-12-11 01:24:17 +0000
@@ -32,6 +32,7 @@
32import unittest32import unittest
3333
34from gi.repository import Click, GLib34from gi.repository import Click, GLib
35from six import integer_types
3536
36from click.json_helpers import json_array_to_python, json_object_to_python37from click.json_helpers import json_array_to_python, json_object_to_python
37from click.tests.gimock_types import Passwd38from click.tests.gimock_types import Passwd
@@ -55,7 +56,7 @@
55 "bar", "1.0", "/path/to/foo/1.0", False)56 "bar", "1.0", "/path/to/foo/1.0", False)
5657
57 def test_hash(self):58 def test_hash(self):
58 self.assertIsInstance(self.foo.hash(), int)59 self.assertIsInstance(self.foo.hash(), integer_types)
59 self.assertEqual(self.foo.hash(), self.foo_clone.hash())60 self.assertEqual(self.foo.hash(), self.foo_clone.hash())
60 self.assertNotEqual(self.foo.hash(), self.foo_different_version.hash())61 self.assertNotEqual(self.foo.hash(), self.foo_different_version.hash())
61 self.assertNotEqual(self.foo.hash(), self.foo_different_path.hash())62 self.assertNotEqual(self.foo.hash(), self.foo_different_path.hash())
6263
=== modified file 'click/tests/test_hooks.py'
--- click/tests/test_hooks.py 2014-07-11 17:20:51 +0000
+++ click/tests/test_hooks.py 2015-12-11 01:24:17 +0000
@@ -895,6 +895,7 @@
895 ) as (enter, preloads):895 ) as (enter, preloads):
896 enter()896 enter()
897 preloads["click_get_user_home"].return_value = "/home/test-user"897 preloads["click_get_user_home"].return_value = "/home/test-user"
898 self._setup_hooks_dir(preloads)
898 with mkfile(899 with mkfile(
899 os.path.join(self.temp_dir, "hooks", "test.hook")) as f:900 os.path.join(self.temp_dir, "hooks", "test.hook")) as f:
900 print("User-Level: yes", file=f)901 print("User-Level: yes", file=f)
901902
=== modified file 'click/tests/test_install.py'
--- click/tests/test_install.py 2014-12-03 12:42:21 +0000
+++ click/tests/test_install.py 2015-12-11 01:24:17 +0000
@@ -23,19 +23,24 @@
23 ]23 ]
2424
2525
26from contextlib import contextmanager26from contextlib import (
27 closing,
28 contextmanager,
29 )
27import hashlib30import hashlib
28import json31import json
29import os32import os
30import shutil33import shutil
31import stat34import stat
32import subprocess35import subprocess
36import tarfile
3337
34from unittest import skipUnless38from unittest import skipUnless
3539
36from debian.deb822 import Deb82240from debian.deb822 import Deb822
37from gi.repository import Click41from gi.repository import Click
3842
43from click.arfile import ArFile
39from click.build import ClickBuilder44from click.build import ClickBuilder
40from click.install import (45from click.install import (
41 ClickInstaller,46 ClickInstaller,
@@ -50,6 +55,7 @@
50 TestCase,55 TestCase,
51 touch,56 touch,
52)57)
58from click.versions import spec_version
5359
5460
55@contextmanager61@contextmanager
@@ -104,6 +110,7 @@
104 script.write(contents)110 script.write(contents)
105 Click.ensuredir(data_dir)111 Click.ensuredir(data_dir)
106 for name, path in data_files.items():112 for name, path in data_files.items():
113 Click.ensuredir(os.path.dirname(os.path.join(data_dir, name)))
107 if path is None:114 if path is None:
108 touch(os.path.join(data_dir, name))115 touch(os.path.join(data_dir, name))
109 elif os.path.isdir(path):116 elif os.path.isdir(path):
@@ -320,6 +327,46 @@
320 ])327 ])
321 self.assertEqual(("test-package", "1.0"), installer.audit(path))328 self.assertEqual(("test-package", "1.0"), installer.audit(path))
322329
330 def test_audit_missing_dot_slash(self):
331 # Manually construct a package with data paths that do not start
332 # with "./", which could be used to bypass path filtering.
333 with self.run_in_subprocess(
334 "click_get_frameworks_dir") as (enter, preloads):
335 enter()
336 path = self.make_fake_package(
337 control_fields={"Click-Version": "0.2"},
338 manifest={
339 "name": "test-package",
340 "version": "1.0",
341 "framework": "ubuntu-sdk-13.10",
342 },
343 control_scripts={"preinst": static_preinst},
344 data_files={".click/tmp.ci/manifest": None})
345 # Repack without the leading "./".
346 data_dir = os.path.join(self.temp_dir, "fake-package")
347 data_tar_path = os.path.join(self.temp_dir, "data.tar.gz")
348 control_tar_path = os.path.join(self.temp_dir, "control.tar.gz")
349 package_path = '%s.click' % data_dir
350 with closing(tarfile.TarFile.open(
351 name=data_tar_path, mode="w:gz", format=tarfile.GNU_FORMAT
352 )) as data_tar:
353 data_tar.add(
354 os.path.join(data_dir, ".click"), arcname=".click")
355 with ArFile(name=package_path, mode="w") as package:
356 package.add_magic()
357 package.add_data("debian-binary", b"2.0\n")
358 package.add_data(
359 "_click-binary", ("%s\n" % spec_version).encode("UTF-8"))
360 package.add_file("control.tar.gz", control_tar_path)
361 package.add_file("data.tar.gz", data_tar_path)
362 self._setup_frameworks(preloads, frameworks=["ubuntu-sdk-13.10"])
363 with mock_quiet_subprocess_call():
364 installer = ClickInstaller(self.db)
365 self.assertRaisesRegex(
366 ClickInstallerAuditError,
367 'File name ".click" in package does not start with "./"',
368 installer.audit, path)
369
323 def test_audit_broken_md5sums(self):370 def test_audit_broken_md5sums(self):
324 with self.run_in_subprocess(371 with self.run_in_subprocess(
325 "click_get_frameworks_dir") as (enter, preloads):372 "click_get_frameworks_dir") as (enter, preloads):
326373
=== modified file 'debian/changelog'
--- debian/changelog 2015-10-06 19:44:52 +0000
+++ debian/changelog 2015-12-11 01:24:17 +0000
@@ -1,3 +1,33 @@
1click (0.4.41) UNRELEASED; urgency=medium
2
3 [ Colin Watson ]
4 * Fix spurious test_sync_without_user_db test failure.
5 * Fix test failures under Python 2.
6 * Forbid installing packages with data tarball members whose names do not
7 start with "./" (LP: #1506467).
8 * Take evasive action in case the conflicting "click" package has been
9 installed locally from PyPI (LP: #1486841).
10 * Drop use of apt_pkg from click.install, since it's no longer needed
11 there (LP: #1510015).
12
13 [ Dimitri John Ledkov ]
14 * Require specific Click version, to avoid gi warnings that fail
15 test-suite (LP: #1522608).
16 * Set Vcs-* fields to the actual development branch.
17
18 -- Colin Watson <cjwatson@ubuntu.com> Thu, 15 Oct 2015 12:46:54 +0100
19
20click (0.4.40+15.10.20151006-0ubuntu1.1) wily; urgency=medium
21
22 * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
23 can be used to install alternate security policy than what is defined
24 - click/install.py: Forbid installing packages with data tarball members
25 whose names do not start with "./". Patch thanks to Colin Watson.
26 - CVE-2015-XXXX
27 - LP: #1506467
28
29 -- Jamie Strandboge <jamie@ubuntu.com> Thu, 15 Oct 2015 11:13:36 -0500
30
1click (0.4.40+15.10.20151006-0ubuntu1) wily; urgency=medium31click (0.4.40+15.10.20151006-0ubuntu1) wily; urgency=medium
232
3 [ Michael Vogt ]33 [ Michael Vogt ]
434
=== modified file 'debian/control'
--- debian/control 2015-07-02 08:54:29 +0000
+++ debian/control 2015-12-11 01:24:17 +0000
@@ -4,8 +4,8 @@
4Maintainer: Colin Watson <cjwatson@ubuntu.com>4Maintainer: Colin Watson <cjwatson@ubuntu.com>
5Standards-Version: 3.9.55Standards-Version: 3.9.5
6Build-Depends: debhelper (>= 9~), dh-autoreconf, intltool, python3:any (>= 3.2), python3-all:any, python3-setuptools, python3-apt, python3-debian, python3-gi, python3:any (>= 3.3) | python3-mock, pep8, python3-pep8, pyflakes, python3-sphinx, pkg-config, valac, gobject-introspection (>= 0.6.7), libgirepository1.0-dev (>= 0.6.7), libglib2.0-dev (>= 2.34), gir1.2-glib-2.0, libjson-glib-dev (>= 0.10), libgee-0.8-dev, libpackagekit-glib2-dev (>= 0.7.2), python3-coverage, python3-six, dh-systemd (>= 1.3)6Build-Depends: debhelper (>= 9~), dh-autoreconf, intltool, python3:any (>= 3.2), python3-all:any, python3-setuptools, python3-apt, python3-debian, python3-gi, python3:any (>= 3.3) | python3-mock, pep8, python3-pep8, pyflakes, python3-sphinx, pkg-config, valac, gobject-introspection (>= 0.6.7), libgirepository1.0-dev (>= 0.6.7), libglib2.0-dev (>= 2.34), gir1.2-glib-2.0, libjson-glib-dev (>= 0.10), libgee-0.8-dev, libpackagekit-glib2-dev (>= 0.7.2), python3-coverage, python3-six, dh-systemd (>= 1.3)
7Vcs-Bzr: https://code.launchpad.net/~ubuntu-managed-branches/click/click7Vcs-Bzr: https://code.launchpad.net/~click-hackers/click/devel
8Vcs-Browser: http://bazaar.launchpad.net/~ubuntu-managed-branches/click/click/files8Vcs-Browser: http://bazaar.launchpad.net/~click-hackers/click/devel/files
9X-Python-Version: >= 2.79X-Python-Version: >= 2.7
10X-Python3-Version: >= 3.210X-Python3-Version: >= 3.2
11XS-Testsuite: autopkgtest11XS-Testsuite: autopkgtest

Subscribers

People subscribed via source and target branches

to all changes: