Simple hackish solution to CVE-2014-3539. #107
Conversation
|
@aligrudi … I would like to see some comments on this so we can get rid of this CVE soon. I would make some fast release as well, so we can put it to distros and on PyPI. |
|
Matěj Cepl [email protected] wrote:
Are the tests failing now? |
|
|
Matěj Cepl [email protected] wrote:
Clearly transferring data from the sub-process does |
This doesn't resolve the issue, but at least people using DOA should be intentional about it and aware of the security risks. It is also necessary explicitly switch on 'perform_doa' preference for tests that require it. Fixes #105
| @@ -20,6 +20,7 @@ def tearDown(self): | |||
| super(DynamicOITest, self).tearDown() | |||
|
|
|||
| def test_simple_dti(self): | |||
| self.project.prefs['perform_doa'] = True | |||
There was a problem hiding this comment.
for the doi tests it seems sensible to just do this in the setup directly instead of seemingly each test
|
This bug is really old and needs to be revisited ASAP. @mcepl, do you remember where this left off? I will take a look at it when I get a chance, but it doesn't entirely make sense to me now. |
|
Well, originally it came with https://bugzilla.redhat.com/show_bug.cgi?id=1116485 and this was my feeble effort to fix the problem. |
|
Please merge this to fix the 3 year old CVE... |
I am not the maintainer of rope anymore, @soupytwist is. |
|
Will merge ASAP, have to fix failing tests first. |
|
So... uhhh. Still haven't merged "yet", right? 😉 |
|
Aye. Honestly I don't remember why I didn't get anywhere with this. I know the test is still failing, will take another stab at it... if anyone else wants to take a look at it as well, that would be helpful. |
|
Solved in #251. |
This doesn't resolve the issue, but at least people using DOA should be
intentional about it and aware of the security risks.
Fixes #105