Python eggs zip-archive used instead of extracted file since v6.2.9 - concerned about execution of untrusted code

Hi there!

We noticed that since v6.2.9 seahub.sh won’t start unless you give the executing user (“seafile”) write permissions in “/home/seafile/.python-eggs”, where it extracts the contents of the zip file “SQLAlchemy-1.1.3-py2.7-linux-x86_64.egg”.

Please tell us why the seafile-user would need write permissions all of a sudden, when it never needed them before. Couldn’t you just include the extracted python-eggs-archive? We don’t see the reason for this change in procedure.

Thanks in advance!

3 Likes