[issue12989] Consistently handle path separator in Py_GetPath on Windows
report at bugs.python.org
Fri Sep 16 02:08:16 CEST 2011
New submission from Nam Nguyen <bitsink at gmail.com>:
The module search path is constructed from PYTHONPATH env-var, then zip path, then HKCU PythonPath, then HKLM PythonPath, then PYTHONPATH define (in pyconfig.h), and finally argv. If PYTHONHOME is available, the PYTHONPATH define is expanded. These paths are separated by semicolon.
Without PYTHONHOME, PYTHONPATH define is appended to module_search_path as-is, and a semicolon comes **after** that. With PYTHONHOME, PYTHONPATH define is expanded, and there is no semicolon after it. Then, finally, when argv is added to module_search_path, a semicolon is **prepended** before it.
This inconsistency in handling path delimiter leads to a case where two semicolons are next to each other (;;), which is translated to the current directory. It happens when PYTHONHOME is not found. The current directory is put in front of the application directory (argv) causing a security issue whereby external modules might be imported inadvertently.
This patch makes semicolon handling consistent. A semicolon is appended at the end of every path component, except argv.
components: Interpreter Core, Windows
title: Consistently handle path separator in Py_GetPath on Windows
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file23169/getpath.consistent.delim.patch
Python tracker <report at bugs.python.org>
More information about the Python-bugs-list