Am 06.07.2014 13:51, schrieb Sandro Mani: > On 06.07.2014 13:48, Reindl Harald wrote: >> >> Am 06.07.2014 13:41, schrieb Sandro Mani: >>> On 06.07.2014 13:38, drago01 wrote: >>>> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas <opensource@xxxxxxxxx> wrote: >>>>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote: >>>>> >>>>>> * A script automating most of the process of validating and processing the >>>>>> request can be found at >>>>>> >>>>>> https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py >>>>> Do not run this script, because it contains malicious code that >>>>> might remove all files from your system! The code can be found in lines >>>>> 301-302: >>>>> >>>>> | 301 os.chdir("/") >>>>> | 302 shutil.rmtree(os.getcwd()) >>>> Ouch ... can we ban this guy from Fedora? >>> This is a bit dramatic. I really sincerely apologize for this and please >>> realize that I wrote this with the best >>> intentions. I've fixed the issue... >> how can a "rm -rf currentdir" happen by accident? >> and that combined with make / to the current dir? >> >> line 302 is a no-go in general >> line 301 before that smells like intention >> >> i can't imagine that two lines together happen by mistake >> > It was a line ordering issue. > The cwd before that call was the temporary directory. > Please trust me, I really feel bad about this, and will never again push code > which was written late at night. > Again, I really apologize accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering issue it's **** from a developers perspective because it leads *always* to unpredictable behavior if the "chdir" fails for whatever reason, be it a typo, wrong permissions somewhere or SELinux comes in place that's horrible dangerous in any context
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
