Editing text with an external editor in Python

Chris Angelico rosuav at gmail.com
Tue Sep 2 00:25:32 CEST 2014


On Tue, Sep 2, 2014 at 4:02 AM, Steven D'Aprano
<steve+comp.lang.python at pearwood.info> wrote:
> I'm not really seeing how this is a security vulnerability. If somebody can
> break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment
> variables, I've already lost.

Agreed. If I'm calling on your program and setting EDITOR or
GIT_EDITOR or whatever to configure how you ask me to edit a file,
that's because it's *my* system. The aforementioned setup is actually
run as root; the 'editor' quite deliberately does almost nothing, but
I know it's safe because I'm the one in control, not because the
editor's sanitized.

ChrisA



More information about the Python-list mailing list