20 May
2017
20 May
'17
4:56 p.m.
* Radon Rosborough <radon.neon@gmail.com>, 2017-05-20, 14:29:
I would have thought that "#!/usr/bin/env sh" runs the risk of picking up a malicious sh executable injected into the user's PATH. That's certainly a valid concern. Does this happen in the real world? I feel like if you have a malicious sh executable on your PATH, you're going to have a lot more problems than just from virtualenv.
Right. It's safe to assume that all elements of PATH are trusted. If they're not, all bets are off. That said, I'm surprised that "#!/usr/bin/env sh" was proposed instead of the more conventional "#!/bin/sh". I don't really see any advantages of the former. -- Jakub Wilk