[Yum] Security issues with include= implementation in yum.conf

Ryan Tomayko rtomayko at naeblis.cx
Mon Oct 6 22:19:54 UTC 2003

On Mon, 2003-10-06 at 08:16, Michael Stenner wrote:
> On Sun, Oct 05, 2003 at 10:30:22PM -0400, seth vidal wrote:
> > ok - then when you get a chance to make that patch all urlgrabber-y, we
> > can look at merging it in.
> I have a version of urlgrabber that supports urlopen (returns a file
> object) and urlread (returns a string containg the file contents),
> either of which might be more handy here, 

Yep. The version that returns a file object would be exactly what I'm
looking for. I guess a string would be fine too but a file object would
fit into what i have now a little better.

> unless you really do want to assemble a combined version locally on disk.  

Naw... Actually, the current rev doesn't do this either. It just reads
each included file on the fly as if it were part of the yum.conf
file-object. i.e. readline() delegates calls to included file-objects
when inside an include. The delegating file-like-object is what is fed
into the ConfigParser. 

> It's not up yet, but if you're interested, I can hurry that along.

Oh, that would be wonderful mr. urlgrabber (seth made me say that). What
I'm really hoping is that I can replace the urllib.urlopen() and file()
calls with calls to urlgrabber. What would be great is if I could call a
grab method with a string that might be a [file|http|ftp] url or might
be a local path and have urlgrabber give me back a file object. That
would get rid of a lot of the crufty non-sense I have going on to deal
with local files and urls differently.

Also, while we're on the topic. What about caching? Someone brought up
the fact that remote includes will break when running in cache-only mode
I didn't have a real long look urlgrabber but it looked like some of the
grab functions took (among other things) the remote url and a temp file.
When grabbing something like a header or a rpm in current yum, does:

  1. the temp file arg correspond to the cached filename? 

  2. urlgrabber have any checks built in for checking if the cached 
     file is stale, and if-so, does it handle regrabbing automatically? 

- Ryan

More information about the Yum mailing list