[Qgis-developer] Release problem

Giuseppe Sucameli brush.tyler at gmail.com
Tue Jun 26 14:08:53 PDT 2012

Hi Victor,

On Tue, Jun 26, 2012 at 4:47 PM, Victor Olaya <volayaf at gmail.com> wrote:
> I am sorry to insist a bit, but I am having problems releasing a new
> version of SEXTANTE, due to a problem with the security of the release
> system, which does not allow path information in zip files.

looking at the qgis-django webapp code seems that your zip file
has something wrong.

Here's the code of the webapp that accomplish that check:

    for zname in zip.namelist():
        if zname.find('..') != -1 or zname.find(os.path.sep) == 0 :
            raise ValidationError( _("For security reasons, zip file
cannot contain path informations") )

It seems that filenames within your zip contains also path
informations. I'm not sure I understood well what path information
is, but I suppose is something that defines where to put each file
when it's extracted.
So if you extract only one file (e.g. sextante/images/config.png)
the zip application want to put it within the sextante/images folder.
This could be a problem if you put files with path information
like "/usr" or just "/" of "../../../something".

Which command do you use to zip the plugin folder?
This is the command I run to zip my plugins:

zip -r PLUGIN_NAME.zip PLUGIN_FOLDER -x \*.svn* -x \*.pyc -x \*~ -x
\*entries\* -x \*.git\*

Hope this helps.

> Can anyone bypass that somehow? I could send the package to a trusted
> source (someone from PSC who might check things and see that there is
> nothing wrong in the package), and he could publish it directly.
> If not, I will probably upload without help files.
> Thanks, and sorry again for repeating this email.
> Regards
> Victor
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-developer

Giuseppe Sucameli

More information about the Qgis-developer mailing list