Bug#764814: freecad downloads and executes code

D Haley mycae at gmx.com
Sun Oct 12 14:55:48 UTC 2014


Hi and thanks for the input,

I think this bug is less about licencing, which is a large and complex 
issue, than a quick fix for code execution. Upstream can make their 
decisions about licencing. This is possibly not a debian question, and i 
feel somewhat tangential to this bug, and the issues in the other bug 
are still not entirely sorted. We have a technical solution that will 
work here.

I think I disagree about the complexity of the SHA1 solution. I think it 
is very simple, and looks like the attached, which is incomplete. 
Notably, the other files need to be similarly patched, and the SHA1s 
need computing.

	
Otherwise, the SSL solution could be achieved by using eg, the Requests 
library. Some discussion on this topic was had a while ago:
https://lwn.net/Articles/582065/

Thanks!



-------------- next part --------------
diff -r 58946a488476 src/Mod/Arch/ArchCommands.py
--- a/src/Mod/Arch/ArchCommands.py	Sun Oct 12 15:44:26 2014 +0100
+++ b/src/Mod/Arch/ArchCommands.py	Sun Oct 12 15:49:30 2014 +0100
@@ -24,6 +24,8 @@
 #***************************************************************************
 
 import FreeCAD,Draft,ArchComponent,DraftVecUtils
+import hashlib
+
 from FreeCAD import Vector
 if FreeCAD.GuiUp:
     import FreeCADGui
@@ -562,6 +564,13 @@
         FreeCAD.Console.PrintMessage("downloading "+url+" ...\n")
         response = urllib2.urlopen(url)
         s = response.read()
+	sha = hashlib.sha1(s)
+	sha_found = sha.hexdigest()
+
+	SHA1_EXPECTED_HEX="asdf"
+	if not sha_found = SHA1_EXPECTED :
+		return None
+
         f = open(filepath,'wb')
         f.write(s)
         f.close()



More information about the debian-science-maintainers mailing list