[Python-Dev] Adding a new C API function in 2.6
Guido van Rossum
guido at python.org
Thu May 20 21:53:31 CEST 2010
Sounds good to me, since this is (a) a security fix that will make
some vendors happy, and (b) only a C-level API. I expect that some
apps embedding Python will use this API unconditionally and this break
with earlier Python versions; this could be intentional because of the
vulnerability (else why would they change their code to call the new
API), or they can use an #if to check for a version >= 2.6.6.
--Guido
On Thu, May 20, 2010 at 12:32 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>
> Hello,
>
> I would like to check that it's possible to a new C API function in the
> 2.6 branch, on the basis that it would help solve what seems to be
> reported as a security problem by several vendors (including Linux
> distributions) -- see http://bugs.python.org/issue5753 for a thorough
> discussion.
>
> The change is rather minimal at the code level; it adds a new function
> PySys_SetArgvEx which has an additional flag telling it whether to
> update sys.path or not. The existing PySys_SetArgv function
> unconditionally updates sys.path, which can allow shadowing of stdlib
> or third-party library modules by an attacker.
>
> Thank you
>
> Antoine.
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/guido%40python.org
>
--
--Guido van Rossum (python.org/~guido)
More information about the Python-Dev
mailing list