[issue5753] CVE-2008-5983 python: untrusted python modules search path

[Glyph Lefkowitz]

Glyph Lefkowitz <glyph at divmod.com> added the comment:

It suggests to me that somewhere there's some documentation, or an
example, that says "this is the right way to embed python, call this
function".

If the right thing to do is to just not call the function at all, we
need to get that knowledge out there into the embedding community and
publicize this issue.  Perhaps a doc bug?  PySys_SetArgvEx seems like it
might be a good idea for applications which do still want to set the
argument list without the sys.path implications, but a quick perusal of
the sources of plugins for the affected applications suggests that none
of them need it.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5753>
_______________________________________