[issue5753] CVE-2008-5983 python: untrusted python modules search path
Tomas Hoger
report at bugs.python.org
Mon Jul 13 12:26:21 CEST 2009
Tomas Hoger <thoger at redhat.com> added the comment:
Additional API has one disadvantage - it requires a modification of all
affected applications embedding python, which is not likely to happen
soon after the API is introduced.
Therefore, it may still be worth reviewing current behaviour (that
seemed to have had no documentation until recently, see issue #5144, and
can probably still benefit from more warnings related to the embedded
use) in this corner case (argv0 is bogus and contains no '/') to see if
it may be worth changing in future python versions.
As for command line flags, I presume you're referring to the
'wcscmp(argv0, L"-c")' part of the patch. It's not more than a re-use
of the pattern already used couple of times in the PySys_SetArgv, that
got added via:
http://svn.python.org/view?view=rev&revision=39544
Again, it's an attempt to make sure this only changes behaviour in
rather specific case.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5753>
_______________________________________
More information about the Python-bugs-list
mailing list