best way to ensure './' is at beginning of sys.path?
Michael Torrie
torriem at gmail.com
Sun Feb 5 00:18:24 EST 2017
On 02/04/2017 08:19 AM, Wildman via Python-list wrote:
> No, I do not know. You might try your question in
> a linux specific group. Personally I don't understand
> the danger in having the dot in the path. The './'
> only means the current directory. DOS and Windows
> has searched the current directory since their
> beginning. Is that also dangerous?
Because of how the DOS and Windows command-line interpreters work it's
slightly less dangerous. That's because a lot of commands are built into
the interpreter. Commands like dir, type, etc. So a malicious download
can't really override those with local copies.
In linux, a lot of critical commands are actual programs in the search
path. Commands like ls, cat, etc. So if . is in the path, it's far
easier for a malicious download (or script) to place shadow programs in
the current directory that will run when you try to use what you think
is a system command. If strict user/root separation is maintained, then
the damage can be mitigated somewhat. Except for something like a
shadow copy of sudo that snags your password, then uses it to execute an
arbitrary script as root using the real sudo. Game over.
More information about the Python-list
mailing list