[issue5753] CVE-2008-5983 python: untrusted python modules search path
Jan Lieskovsky
report at bugs.python.org
Wed Jul 15 22:54:54 CEST 2009
Jan Lieskovsky <iankko at seznam.cz> added the comment:
Link to older Python tracker issue discussing the same problem and
closed with "won't fix":
http://bugs.python.org/issue946373
Strange enough, but implied from reading above issue, just an
idea (don't shoot :)). Wouldn't it be possible to recognize,
if the module name the script | embedded application is trying
to load belongs to && conflicts with the 'standard' Python module
names as listed in:
http://docs.python.org/modindex.html
and in that case:
a, issue a warning by loading it?
b, refuse to import it, in case it doesn't come from usual
standard Python modules location?
Probably off-topic, but is there in Python some mechanism how to
determine, if the module / module name belongs to:
a, 'standard Python module set' or
b, is a custom module, written by Python user?
(via the Python's interpreter __main__ module's namespace
dictionary? -- based on [1])
[1] http://www.linuxjournal.com/article/8497
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5753>
_______________________________________
More information about the Python-bugs-list
mailing list