[Python-checkins] r81887 - python/branches/release26-maint/Doc/whatsnew/2.6.rst
andrew.kuchling
python-checkins at python.org
Fri Jun 11 03:07:06 CEST 2010
Author: andrew.kuchling
Date: Fri Jun 11 03:07:06 2010
New Revision: 81887
Log:
#5753: mention PySys_SetArgvEx() in 2.6 What's News
Modified:
python/branches/release26-maint/Doc/whatsnew/2.6.rst
Modified: python/branches/release26-maint/Doc/whatsnew/2.6.rst
==============================================================================
--- python/branches/release26-maint/Doc/whatsnew/2.6.rst (original)
+++ python/branches/release26-maint/Doc/whatsnew/2.6.rst Fri Jun 11 03:07:06 2010
@@ -1788,7 +1788,7 @@
were applied. (Maintained by Josiah Carlson; see :issue:`1736190` for
one patch.)
-* The :mod:`bsddb` module also has a new maintainer, Jesús Cea, and the package
+* The :mod:`bsddb` module also has a new maintainer, Jesús Cea Avion, and the package
is now available as a standalone package. The web page for the package is
`www.jcea.es/programacion/pybsddb.htm
<http://www.jcea.es/programacion/pybsddb.htm>`__.
@@ -2992,6 +2992,33 @@
architectures (x86, PowerPC), 64-bit (x86-64 and PPC-64), or both.
(Contributed by Ronald Oussoren.)
+* A new function added in Python 2.6.6, :cfunc:`PySys_SetArgvEx`, sets
+ the value of ``sys.argv`` and can optionally update ``sys.path`` to
+ include the directory containing the script named by ``sys.argv[0]``
+ depending on the value of an *updatepath* parameter.
+
+ This function was added to close a security hole for applications
+ that embed Python. The old function, :cfunc:`PySys_SetArgv`, would
+ always update ``sys.path``, and sometimes it would add the current
+ directory. This meant that, if you ran an application embedding
+ Python in a directory controlled by someone else, attackers could
+ put a Trojan-horse module in the directory (say, a file named
+ :file:`os.py`) that your application would then import and run.
+
+ If you maintain a C/C++ application that embeds Python, check
+ whether you're calling :cfunc:`PySys_SetArgv` and carefully consider
+ whether the application should be using :cfunc:`PySys_SetArgvEx`
+ with *updatepath* set to false. Note that using this function will
+ break compatibility with Python versions 2.6.5 and earlier; if you
+ have to continue working with earlier versions, you can leave
+ the call to :cfunc:`PySys_SetArgv` alone and call
+ ``PyRun_SimpleString("sys.path.pop(0)\n")`` afterwards to discard
+ the first ``sys.path`` component.
+
+ Security issue reported as `CVE-2008-5983
+ <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_;
+ discussed in :issue:`5753`, and fixed by Antoine Pitrou.
+
* The BerkeleyDB module now has a C API object, available as
``bsddb.db.api``. This object can be used by other C extensions
that wish to use the :mod:`bsddb` module for their own purposes.
@@ -3294,6 +3321,15 @@
scoping rules, also cause warnings because such comparisons are forbidden
entirely in 3.0.
+For applications that embed Python:
+
+* The :cfunc:`PySys_SetArgvEx` function was added in Python 2.6.6,
+ letting applications close a security hole when the existing
+ :cfunc:`PySys_SetArgv` function was used. Check whether you're
+ calling :cfunc:`PySys_SetArgv` and carefully consider whether the
+ application should be using :cfunc:`PySys_SetArgvEx` with
+ *updatepath* set to false.
+
.. ======================================================================
More information about the Python-checkins
mailing list