[issue35755] Remove current directory from posixpath.defpath to enhance security
STINNER Victor
report at bugs.python.org
Wed Jan 16 18:54:57 EST 2019
STINNER Victor <vstinner at redhat.com> added the comment:
I wrote attached execv_curdir.py to check if os.execv() tries to find the executable in the current directory if it doesn't contain a directory: yes, it does.
$ python3 execv_curdir.py
execv() searchs in the current directory
I also wrote attached subprocess_curdir.py which confirms that subprocess runs a program from the current directory if it exists.
$ python3 subprocess_curdir.py
defpath = :/bin:/usr/bin
subprocess searchs in the current directory
Moreover, the current directory has the priority over /bin and /usr/bin.
----------
Added file: https://bugs.python.org/file48063/execv_curdir.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35755>
_______________________________________
More information about the Python-bugs-list
mailing list