[issue5753] CVE-2008-5983 python: untrusted python modules search path
Tomas Hoger
report at bugs.python.org
Fri May 21 09:32:48 CEST 2010
Tomas Hoger <thoger at redhat.com> added the comment:
+ - If the name of an existing script is passed in ``argv[0]``, its absolute
+ path is prepended to :data:`sys.path`
Absolute path to the directory where script is located. And I believe there's no absolute path guarantee for platforms without realpath / GetFullPathName.
Should the documentation also give some guidance to those that embed python and don't want to start using SetArgvEx right away and break compatibility with older python versions? Something like:
If you're embedding python in your application, using SetArgv and don't want modified sys.path, call PyRun_SimpleString("sys.path.pop(0)\n"); after SysArgv to unconditionally drop the first sys.path argument added by SetArgv.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5753>
_______________________________________
More information about the Python-bugs-list
mailing list