How to get path of a .py script
Bernhard Herzog
bh at intevation.de
Wed Dec 11 17:01:37 EST 2002
"David Necas (Yeti)" <yeti at physics.muni.cz> writes:
> After I posted it, I realized this is a strong argument
> against using sys.path[0] for anything, because it allows
> a nasty symlink attack.
How? If using sys.path[0] for anything is a security problem, all python
scripts have it because Python looks in sys.path for modules.
> I can make it contain anything I want (I
> need write permissions in the directory which will appear
> there) by deliberately symlinking the script.
You'd still have to get someone to execute that symlink. If you can do
that you could just as well supply a real script doing whatever you
want. That's a well known security risk on Unix-like systems and the
reason one shouldn't have . in $PATH.
Bernhard
--
Intevation GmbH http://intevation.de/
Sketch http://sketch.sourceforge.net/
MapIt! http://mapit.de/
More information about the Python-list
mailing list