[New-bugs-announce] [issue12989] Consistently handle path separator in Py_GetPath on Windows

[Nam Nguyen]

New submission from Nam Nguyen <bitsink at gmail.com>:

The module search path is constructed from PYTHONPATH env-var, then zip path, then HKCU PythonPath, then HKLM PythonPath, then PYTHONPATH define (in pyconfig.h), and finally argv[0]. If PYTHONHOME is available, the PYTHONPATH define is expanded. These paths are separated by semicolon.

Without PYTHONHOME, PYTHONPATH define is appended to module_search_path as-is, and a semicolon comes **after** that. With PYTHONHOME, PYTHONPATH define is expanded, and there is no semicolon after it. Then, finally, when argv[0] is added to module_search_path, a semicolon is **prepended** before it.

This inconsistency in handling path delimiter leads to a case where two semicolons are next to each other (;;), which is translated to the current directory. It happens when PYTHONHOME is not found. The current directory is put in front of the application directory (argv[0]) causing a security issue whereby external modules might be imported inadvertently.

This patch makes semicolon handling consistent. A semicolon is appended at the end of every path component, except argv[0].

----------
components: Interpreter Core, Windows
files: getpath.consistent.delim.patch
keywords: patch
messages: 144111
nosy: Nam.Nguyen
priority: normal
severity: normal
status: open
title: Consistently handle path separator in Py_GetPath on Windows
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file23169/getpath.consistent.delim.patch

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12989>
_______________________________________