I reviewed python-django-gravatar2 version 1.4.2-3 as checked into
disco. This should not be considered a full security audit, but rather a
quick gauge of maintainability.
- There are no prior CVEs against the package
- Build depends: debhelper (>= 11), dh-python, python-all, python-setuptools, python3-all, python3-setuptools
- does not daemonize
- no initscripts
- no dbus services
- no setuid files
- no sudo fragments
- no udev rules
- does not fork
- Test suite performs thorough testing. Some tests rely on internet
access. These tests are NOT run during build.
- no cronjobs
- no logging (not applicable)
- This project has had no activity in the past 1.5 years.
- does not use WebKit
- does not use PolicyKit
- does not use Javascript
- no memory management concerns
The URL returned by gravatar_url() is escaped, whereas the URL returned
in gravatar_profile_url() is not. A pull request has been submitted
upstream to rectify this. https://github.com/twaddington/django-gravatar/pull/29
Some functions are capable of raising exceptions but provide no
documentation or indication to the user that exceptions may be raised.
Exceptions should be caught by django and transformed into HTTP 500
errors, so no there is theoretically no harm.
I reviewed python- django- gravatar2 version 1.4.2-3 as checked into
disco. This should not be considered a full security audit, but rather a
quick gauge of maintainability.
- There are no prior CVEs against the package
debhelper (>= 11),
dh- python,
python- all,
python- setuptools,
python3- all,
python3- setuptools
- Build depends:
- does not daemonize
- no initscripts
- no dbus services
- no setuid files
- no sudo fragments
- no udev rules
- does not fork
- Test suite performs thorough testing. Some tests rely on internet
access. These tests are NOT run during build.
- no cronjobs
- no logging (not applicable)
- This project has had no activity in the past 1.5 years.
- does not use WebKit
- does not use PolicyKit
- does not use Javascript
- no memory management concerns
The URL returned by gravatar_url() is escaped, whereas the URL returned profile_ url() is not. A pull request has been submitted /github. com/twaddington /django- gravatar/ pull/29
in gravatar_
upstream to rectify this.
https:/
Some functions are capable of raising exceptions but provide no
documentation or indication to the user that exceptions may be raised.
Exceptions should be caught by django and transformed into HTTP 500
errors, so no there is theoretically no harm.
ACK from the security team for promoting to main