[Qgis-developer] Release problem

Alex Mandel tech_dev at wildintellect.com
Tue Jun 26 14:45:25 PDT 2012

On 06/26/2012 02:08 PM, Giuseppe Sucameli wrote:
> Hi Victor,
> On Tue, Jun 26, 2012 at 4:47 PM, Victor Olaya <volayaf at gmail.com> wrote:
>> I am sorry to insist a bit, but I am having problems releasing a new
>> version of SEXTANTE, due to a problem with the security of the release
>> system, which does not allow path information in zip files.
> looking at the qgis-django webapp code seems that your zip file
> has something wrong.
> Here's the code of the webapp that accomplish that check:
>     for zname in zip.namelist():
>         if zname.find('..') != -1 or zname.find(os.path.sep) == 0 :
>             raise ValidationError( _("For security reasons, zip file
> cannot contain path informations") )
> It seems that filenames within your zip contains also path
> informations. I'm not sure I understood well what path information
> is, but I suppose is something that defines where to put each file
> when it's extracted.
> So if you extract only one file (e.g. sextante/images/config.png)
> the zip application want to put it within the sextante/images folder.
> This could be a problem if you put files with path information
> like "/usr" or just "/" of "../../../something".
> Which command do you use to zip the plugin folder?
> This is the command I run to zip my plugins:
> zip -r PLUGIN_NAME.zip PLUGIN_FOLDER -x \*.svn* -x \*.pyc -x \*~ -x
> \*entries\* -x \*.git\*
> Hope this helps.
> Regards.

Right what it's trying to prevent is full paths so that a zip doesn't
nefariously put stuff at / on a nix style system or C:/ on windows
system. Relative directory structure should not be effected by this. So
as Giuseppe points out it's a matter of finding the right zip options.


More information about the Qgis-developer mailing list