[issue5753] CVE-2008-5983 python: untrusted python modules search path
Jan Lieskovsky
report at bugs.python.org
Tue Apr 14 13:47:32 CEST 2009
Jan Lieskovsky <iankko at seznam.cz> added the comment:
To sum up the behavior, the following table displays whether
modules are read from the current working directory for various
ways how the python scripts can be launched (unfixed/fixed version):
unfixed fixed run as
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
yes no python test.py
yes no python ./test.py
yes no python /tmp/396/test.py
yes no /bin/env python test.py
yes yes test.py
yes yes ./test.py
yes yes /tmp/396/test.py
yes yes /usr/bin/python test.py
yes yes /usr/bin/python ./test.py
yes yes /usr/bin/python /tmp/396/test.py
no no test-in-different-dir.py
no no ./bin/test-in-different-dir.py
no no python ./bin/test-in-different-dir.py
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5753>
_______________________________________
More information about the Python-bugs-list
mailing list