Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Fix #2768: Quote template strings in activation scripts#2771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
gaborbernat merged 1 commit intopypa:mainfromy5c4l3:activation-quote
Sep 27, 2024

Conversation

y5c4l3
Copy link
Contributor

This patch addsquote method inViaTemplateActivator so that the magic template strings can be quoted correctly when replacing. This mitigates potential command injection (#2768).

  • ran the linter to address style issues (tox -e fix)
  • wrote descriptive pull request text
  • ensured there are test(s) validating the fix
  • added news fragment indocs/changelog folder
  • updated/extended the documentation

This patch adds `quote` method in `ViaTemplateActivator` so that themagic template strings can be quoted correctly when replacing. Thismitigates potential command injection (pypa#2768).Signed-off-by: y5c4l3 <y5c4l3@proton.me>
Copy link
Contributor

@gaborbernatgaborbernat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

y5c4l3 reacted with hooray emoji
Comment on lines +23 to +34
base = bin_dir[: -len(__BIN_NAME__) - 1] # strip away the bin part from the __file__, plus the path separator

# prepend bin to PATH (this file is inside the bin directory)
os.environ["PATH"] = os.pathsep.join([bin_dir, *os.environ.get("PATH", "").split(os.pathsep)])
os.environ["VIRTUAL_ENV"] = base # virtual env is right above bin directory
os.environ["VIRTUAL_ENV_PROMPT"] ="__VIRTUAL_PROMPT__" or os.path.basename(base) # noqa: SIM222
os.environ["VIRTUAL_ENV_PROMPT"] = __VIRTUAL_PROMPT__ or os.path.basename(base)

# add the virtual environments libraries to the host python import mechanism
prev_length = len(sys.path)
for lib in"__LIB_FOLDERS__".split(os.pathsep):
for lib in __LIB_FOLDERS__.split(os.pathsep):
path = os.path.realpath(os.path.join(bin_dir, lib))
site.addsitedir(path.decode("utf-8") if"__DECODE_PATH__" else path)
site.addsitedir(path.decode("utf-8") if __DECODE_PATH__ else path)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't think you meant to remove quotes in.py files, e.g."__VIRTUAL_PROMPT__" ->__VIRTUAL_PROMPT__. These simply become unassigned Python identifiers, and an error will be thrown wheneversrc/virtualenv/activation/python/activate_this.py is executed (imported).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Or more likely I don't understand what and where sets them andwhy the quotes were present before this change. With quotes, the code does not make sense to me either.

Copy link
Contributor

@gaborbernatgaborbernatFeb 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Those values are replaced with python representation herehttps://github.com/pypa/virtualenv/blob/main/src/virtualenv/activation/python/__init__.py#L21-L25. This is a template file.

avm19 reacted with thumbs up emoji

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

So in this case, the quotes must be there...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

avm19 reacted with thumbs up emoji
Copy link

@avm19avm19Feb 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This is a template file.

Oh, I got it now. Thefile is not meant to be interpreted by Python before pre-processing (or creation of a real.py file based on it). Thanks for clarifying this for me!

P.S. For context, I was interested in this in relation tocython/cython#1961. Cython Debugger wants to runactivate_this.py, which is not present in recentvenv environments. Taking the template fileactivate_this.py is not going to work. Luckily, there is a stale PR for that issue, which contains a solution.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@gaborbernatgaborbernatgaborbernat approved these changes

@avm19avm19avm19 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

3 participants
@y5c4l3@gaborbernat@avm19
[8]ページ先頭
©2009-2025 Movatter.jp