Bug 2140884
| Summary: | dnf repoquery --qf doesn't properly sanitize values | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Maxwell G <maxwell> |
| Component: | dnf | Assignee: | Jan Kolarik <jkolarik> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | 38 | CC: | daniel.mach, jkolarik, jmracek, jrohel, mblaha, mhatina, nsella, packaging-team-maint, pkratoch, praiskup, rpm-software-management, vmukhame |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | dnf-4.15.0-1.fc37 dnf-4.15.0-1.fc36 dnf-4.15.0-1.fc38 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-04-08 02:36:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
$ dnf repoquery --repo=rawhide dnf --qf='%{__class__.__doc__}' -q
Wrapper for dnf.package.Package, so we can control formatting
$ dnf repoquery --repo=rawhide dnf --qf='%{_pkg.base.__dict__}' -q
...
$ dnf repoquery --repo=rawhide dnf --qf='%{_pkg.base.conf}' -q
[main]
allow_vendor_change: 1
assumeno: 0
assumeyes: 0
autocheck_running_kernel: 1
bandwidth: 0
best: 0
bugtracker_url: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnf
...
I don't think this is a dnf5 bug. It's an issue specific to the Python version. Yes, you are right. The issue is related to the current DNF's Python CLI. But we will target the fix for the DNF5 component which should be the replacement for the current DNF in the future. Sorry for the confusion. Also apologies we can't manage to fix this issue in DNF component. > But we will target the fix for the DNF5 component This specific issue is completely unrelated to dnf5, so it can't be fixed there. `dnf5 repoquery --qf` is not implemented, but that's a separate issue that's already tracked upstream in https://github.com/rpm-software-management/dnf5/issues/122. > Also apologies we can't manage to fix this issue in DNF component. Fair enough. In that case, I'll move this back to dnf and set the assignee to nobody. Perhaps, I'll submit a fix to dnf4 if I find the time. If you'd prefer to close this as WONTFIX, that's fine. This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38. FEDORA-2023-79922004f7 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-79922004f7 FEDORA-2023-308ef1c754 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-308ef1c754 FEDORA-2023-79922004f7 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-79922004f7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-79922004f7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-fc5633dbeb has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-fc5633dbeb` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-fc5633dbeb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-308ef1c754 has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-308ef1c754 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-79922004f7 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-fc5633dbeb has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-308ef1c754 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. Does this mean that '--queryformat %{location}' was working by pure coincidence before?
|
Description of problem: dnf repoquery --qf doesn't properly sanitize values from `%{}` expressions. It should only accept the values from dnf repoquery --querytags, but it currently allows looking up any attribute of dnf.package.Package and doing other wacky things. At least, it's impossible to actually call these methods... Version-Release number of selected component (if applicable): dnf-4.14.0-1.fc36.noarch Examples: $ dnf repoquery --repo=rawhide dnf --qf="%{__dict__}" -q Actual: {'_pkg': <hawkey.Package object id 9535, dnf-4.14.0-1.fc38.noarch, rawhide>} Expected: Error message or a literal "%{__dict__}" $ dnf repoquery --repo=rawhide dnf --qf="%{__eq__}" -q Actual: <method-wrapper '__eq__' of PackageWrapper object at 0x7fbbfdf9f3a0> Expected: Error message or a literal "%{__eq__}" $ dnf repoquery --repo=rawhide dnf --qf="%{_size}" -q Actual: 491942 Expected: Error message or literal "%{_size}" $ dnf repoquery --repo=rawhide dnf --qf="%{__class__}" -q Actual: <class 'dnf.cli.commands.repoquery.PackageWrapper'> Expected: Error message or literal "%{__class__}" $ dnf repoquery --repo=rawhide dnf --qf="%{afsdfas}" -q Acutal: Error: 'Package' object has no attribute 'afsdfas' Expected: A more descriptive/user friendly error message Additional info: In cases like this, "rpm -q --qf ..." emits an "error: incorrect format: unknown tag TAG_HERE" message.