On Wed, 06 Nov 2002, Steve Waterbury email@example.com wrote:
How is having "." on your PYTHONPATH a serious security hole? (Of course it shouldn't be on _root_'s PYTHONPATH, but how is it bad for a regular user?)
What if you run a Python program from /tmp? One of those smart programs which do something like
''' try: import gtk except ImportError: gtk = None '''
What if some malicious user put a gtk.py in /tmp which does something like ''' open(os.path.expanduser("~/.secret")) os.chmod(os.path.expanduser("~/.secret"), 0777) '''
And to top it all, assume gtk is, indeed, not installed on this system.