executing python code

Michael Fuhr mfuhr at fuhr.org
Sat Nov 6 04:52:03 CET 2004


Mike Meyer <mwm at mired.org> writes:
> mfuhr at fuhr.org (Michael Fuhr) writes:
> > For security reasons it's usually wise to leave "." out of your PATH
>
> Actually, those reasons relate to having "." early in your path. If
> it's the last thing on your path, you won't trigger any trojan horses.

Putting "." lessens the chances of tripping over a trojan but it
doesn't eliminate the possibility entirely.  Think about typos or
commands that you thought were earlier in your path but aren't --
the latter might happen, for example, if you move to a different
OS and aren't aware that some commands are in a location that's not
in your default path.

Relying on "." being in your path might also lead you to write code
that breaks for somebody who doesn't have "." in their path.  An
example would be a Makefile or build script that runs other commands
in the same directory and assumes those commands will be in the
user's path.  It's sloppy to make that assumption, but people get
careless and sloppy things slip by.

But this is getting off topic for Python.

> I find that symlinking ~/src/python/mycode.py to ~/bin/mycode means I
> get to invoke it without having to specify the extension, and don't
> have to reinstall the file if I change it.

I sometimes do that as well.

-- 
Michael Fuhr
http://www.fuhr.org/~mfuhr/



More information about the Python-list mailing list