[issue5753] CVE-2008-5983 python: untrusted python modules search path
Antoine Pitrou
report at bugs.python.org
Fri May 21 11:29:04 CEST 2010
Antoine Pitrou <pitrou at free.fr> added the comment:
> Absolute path to the directory where script is located. And I believe
> there's no absolute path guarantee for platforms without realpath /
> GetFullPathName.
Yes, this is more precise indeed. As for realpath(), I would expect it
to be present on modern Unices (man page says "4.4BSD, POSIX.1-2001").
> If you're embedding python in your application, using SetArgv and
> don't want modified sys.path, call
> PyRun_SimpleString("sys.path.pop(0)\n"); after SysArgv to
> unconditionally drop the first sys.path argument added by SetArgv.
I suppose
PyRun_SimpleString("import sys; sys.path.pop(0)\n");
would be better.
Thanks for the comments, I'll update the patch.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5753>
_______________________________________
More information about the Python-bugs-list
mailing list