Mercurial > p > roundup > code
view .github/workflows/build-xapian.yml @ 8356:63390dcfcfe9
bug: fix template use of structure with untrusted data
Looks like an xSS bug with an early version of the template that was
fixed in the code but never in the deployed tracker. It has been a
while since this particular construct has been in the classic template
which is the base for the tracker.
This has been fixed on the deployed tracker as well.
reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 10:23:09 -0400 |
| parents | 6137598ac8b0 |
| children | 3db40a355a6c |
line wrap: on
line source
name: build-xapian on: push: # skip if github.ref is 'refs/heads/maint-1.6' # aka github.ref_name of 'maint-1.6' # see https://github.com/orgs/community/discussions/26253 # for mechanism to control matrix based on branch branches: [ "*", '!maint-1.6' ] workflow_dispatch: inputs: debug_enabled: type: boolean description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)' required: false default: false # GITHUB_TOKEN only has read repo context. permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: test: name: build xapian runs-on: ubuntu-24.04 env: # get colorized pytest output even without a controlling tty PYTEST_ADDOPTS: "--color=yes" # OS: ${{ matrix.os }} PYTHON_VERSION: 3.13 steps: # Checkout the latest code from the repo - name: Checkout source # example directives: # disable step # if: {{ false }} # continue running if step fails # continue-on-error: true uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Setup version of Python to use - name: Set Up Python 3.13 uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: 3.13 allow-prereleases: true cache: 'pip' - name: Install build tools - setuptools run: pip install setuptools # Display the Python version being used - name: Display Python and key module versions run: | python -c "import sys; print('python version: ', sys.version)" python -c "import sqlite3; print('sqlite version: ', sqlite3.sqlite_version)" python -c "import setuptools; print('setuptools version: ', setuptools.__version__);" - name: Update pip run: python -m pip install --upgrade pip # https://github.com/mxschmitt/action-tmate # allow remote ssh into the CI container. I need this to debug # some xfail cases - name: Setup tmate session uses: mxschmitt/action-tmate@v3 if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} timeout-minutes: 60 with: limit-access-to-actor: true - name: Install xapian run: | set -xv sudo apt-get install libxapian-dev # Sphinx required to build the xapian python bindings. Use 1.8.5 on # older python and newest on newer. pip install sphinx XAPIAN_VER="1.4.22"; echo $XAPIAN_VER; cd /tmp curl -s -O https://oligarchy.co.uk/xapian/$XAPIAN_VER/xapian-bindings-$XAPIAN_VER.tar.xz tar -Jxvf xapian-bindings-$XAPIAN_VER.tar.xz cd xapian-bindings-$XAPIAN_VER/ # edit the configure script. # distutils.sysconfig.get_config_vars('SO') doesn't work for # 3.11 or newer. # Change distutils.sysconfig... to just sysconfig and SO # to EXT_SUFFIX to get valid value. # DISABLED use their script if [[ $PYTHON_VERSION == "X."* ]]; then cp configure configure.FCS; sed -i \ -e '/PYTHON3_SO=/s/distutils\.//g' \ -e '/PYTHON3_SO=/s/"SO"/"EXT_SUFFIX"/g' \ -e '/PYTHON3_CACHE_TAG=/s/imp;print(imp.get_tag())/sys;print(sys.implementation.cache_tag)/' \ -e '/PYTHON3_CACHE_OPT1_EXT=/s/imp\.get_tag()/sys.implementation.cache_tag/g' \ -e '/PYTHON3_CACHE_OPT1_EXT=/s/imp\b/importlib/g' \ configure; diff -u configure.FCS configure || true; fi ./configure --prefix=$VIRTUAL_ENV --with-python3 --disable-documentation make && sudo make install python -c 'import xapian'