[Python-Dev] CVE-2008-5983 "untrusted python modules search path"
Antoine Pitrou
solipsis at pitrou.net
Sat May 2 21:45:47 CEST 2009
Hello,
I don't think it has already posted to the list, apologies if it has.
Some Linux tools and vendors have been hit by an alleged "security hole" where
an embedded Python interpreter will prepend the current working directory to
sys.path as soon as PySys_SetArgv() is called by the embedding application. This
means, for example, that a Python file in the working directory can break
plugins or extensions written for that application if the Python file happens to
shadow another module.
Regardless of whether this is a security hole or not, it certainly can make
things disturbingly surprising when the situation arises. In the bug report
(http://bugs.python.org/issue5753), I suggested we add a new function
PySys_SetArgvEx() which would take an additional parameter telling whether to
touch sys.path or not (in the same spirit as Py_InitializeEx() providing a more
flexible API than Py_Initialize()).
On the other hand, I don't think we can change the default behaviour of
PySys_SetArgv(), since there are probably tools and applications relying on it
(the obvious use case which comes to my mind is a third-party interactive
interpreter).
Any opinions?
Regards
Antoine.
More information about the Python-Dev
mailing list