This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Nam.Nguyen
Recipients Nam.Nguyen
Date 2011-09-16.00:08:15
SpamBayes Score 1.6606875e-09
Marked as misclassified No
Message-id <1316131696.55.0.834479609561.issue12989@psf.upfronthosting.co.za>
In-reply-to
Content 
The module search path is constructed from PYTHONPATH env-var, then zip path, then HKCU PythonPath, then HKLM PythonPath, then PYTHONPATH define (in pyconfig.h), and finally argv[0]. If PYTHONHOME is available, the PYTHONPATH define is expanded. These paths are separated by semicolon.

Without PYTHONHOME, PYTHONPATH define is appended to module_search_path as-is, and a semicolon comes **after** that. With PYTHONHOME, PYTHONPATH define is expanded, and there is no semicolon after it. Then, finally, when argv[0] is added to module_search_path, a semicolon is **prepended** before it.

This inconsistency in handling path delimiter leads to a case where two semicolons are next to each other (;;), which is translated to the current directory. It happens when PYTHONHOME is not found. The current directory is put in front of the application directory (argv[0]) causing a security issue whereby external modules might be imported inadvertently.

This patch makes semicolon handling consistent. A semicolon is appended at the end of every path component, except argv[0].
History
Date User Action Args
2011-09-16 00:08:16Nam.Nguyensetrecipients: + Nam.Nguyen
2011-09-16 00:08:16Nam.Nguyensetmessageid: <1316131696.55.0.834479609561.issue12989@psf.upfronthosting.co.za>
2011-09-16 00:08:15Nam.Nguyenlinkissue12989 messages
2011-09-16 00:08:15Nam.Nguyencreate