Date: Thu, 20 Mar 2014 00:53:11 -0700 (PDT) From: Jeremy Chadwick <jdc@koitsu.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/187780: ports/pkg (and pkg mirrors): packagesite.yaml contains excessive escaping Message-ID: <20140320075311.F03B573A1A@icarus.home.lan> Resent-Message-ID: <201403200800.s2K800w4070940@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 187780 >Category: ports >Synopsis: ports/pkg (and pkg mirrors): packagesite.yaml contains excessive escaping >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 20 08:00:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Jeremy Chadwick >Release: FreeBSD 9.2-STABLE amd64 >Organization: >Environment: System: FreeBSD icarus.home.lan 9.2-STABLE FreeBSD 9.2-STABLE #0 r262477: Tue Feb 25 01:04:30 PST 2014 root@icarus.home.lan:/usr/obj/usr/src/sys/X7SBA_RELENG_9_amd64 amd64 >Description: Packages installed via "pkg install" which contain double-quotes in their Comment (and possibly Description), and/or possibly other characters, are excessively escaped (possibly once too many times). These escaped values end up making it into packagesite.yaml, which is part of packagesite.txz, which is what's downloaded during "pkg update -f". I cannot tell if this is a problem with pkg itself (e.g. one of the tools that builds packagesite.yaml), or if it's something done by one of the actual pkg mirrors itself (in which case someone needs to CC whoever maintains the official pkg.freebsd.org mirrors, because it's not disclosed; all I know is it's hosted by ISC). This situation reminds me of PHP and magic quotes, heh... ;-) http://www.php.net/manual/en/security.magicquotes.what.php >How-To-Repeat: # pkg info | grep python2-2_2 python2-2_2 The \"meta-port\" for version 2 of the Python interpreter # pkg info python2-2_2 python2-2_2 Name : python2 Version : 2_2 Installed on : Wed Mar 19 23:19:45 PDT 2014 Origin : lang/python2 Architecture : freebsd:9:x86:64 Prefix : /usr/local Categories : python lang ipv6 Maintainer : python@FreeBSD.org WWW : http://www.python.org/ Comment : The \"meta-port\" for version 2 of the Python interpreter Flat size : 0.00B Description : Python is an interpreted object-oriented programming language, and is often compared to Tcl, Perl or Scheme. This is a meta port to the Python 2.x interpreter and provides symbolic links to bin/python2, bin/pydoc2, bin/idle2 and so on to allow compatibility with minor version agnostic python scripts. WWW: http://www.python.org/ Proof it comes from packagesite.yaml: # mkdir /var/tmp/x # cd /var/tmp/x # fetch 'http://pkg.freebsd.org/freebsd:9:x86:64/latest/packagesite.txz' packagesite.txz 100% of 5062 kB 2613 kBps 00m02s # tar -Jxvf packagesite.txz x packagesite.yaml.sig x packagesite.yaml.pub x packagesite.yaml # grep 'meta-port.*for version 2 of the Python' packagesite.yaml {"name":"python2","origin":"lang/python2","version":"2_2","comment":"The \\\\\\\"meta-port\\\\\\\" for version 2 of the Python interpreter","arch":"freebsd:9:x86:64","maintainer":"python@FreeBSD.org","prefix":"/usr/local","www":"http://www.python.org/","path":"All/python2-2_2.txz","sum":"766b8efc2679c95bd0604f51fae140ae8f071f77875a97949af3b8dd3e9a4859","licenselogic":"single","flatsize":0,"pkgsize":2340,"desc":"Python is an interpreted object-oriented programming language, and is\noften compared to Tcl, Perl or Scheme.\nThis is a meta port to the Python 2.x interpreter and provides symbolic links\nto bin/python2, bin/pydoc2, bin/idle2 and so on to allow compatibility with\nminor version agnostic python scripts.\n\nWWW: http://www.python.org/","deps":{"python27":{"origin":"lang/python27","version":"2.7.6_4"}},"categories":["lang","python","ipv6"]} Talk about excessive escaping... >Fix: n/a >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140320075311.F03B573A1A>