[Python-apps-team] Bug#581122: mercurial-common: bashism in /bin/sh script
Thomas Arendsen Hein
thomas at intevation.de
Tue May 11 09:12:23 UTC 2010
* Javi Merino <cibervicho at gmail.com> [20100511 10:48]:
> Hi, I think the attached patch fixes the bashism by creating a function
> that returns a random number instead of relying on the $RANDOM magic
> variable.
>
> I'll try to get it accepted upstream.
I'm not sure if something based on /dev/urandom will be accepted
upstream as /dev/urandom is not available everywhere.
> On 11/05/10 07:42, Raphael Geissert wrote:
> > While performing an archive wide checkbashisms (from the 'devscripts' package)
> > check I've found your package containing a /bin/sh script making use
> > of a bashism.
> >
> > checkbashisms' output:
> >> possible bashism in ./usr/share/doc/mercurial-common/examples/hgeditor line
> >> 30 ($RANDOM):
> >> HGTMP="${TMPDIR-/tmp}/hgeditor.$RANDOM.$RANDOM.$RANDOM.$$"
This is only a half-bashism, on shells without special support for
$RANDOM the variable simply evaluates to the empty string.
This is just "hgeditor....$$", so it is easier to create name
collisions, but still no security risk as the script simply aborts
in this case.
I guess the ideal solution would be to rewrite hgeditor in python,
but if you can replace the creation of the temporary directory with
a simple call to
python -c "something"
it would be enough to solve your current problem.
Regards,
Thomas Arendsen Hein
--
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20100511/b8f8d9f5/attachment.pgp>
More information about the Python-apps-team
mailing list