Message144111
The module search path is constructed from PYTHONPATH env-var, then zip path, then HKCU PythonPath, then HKLM PythonPath, then PYTHONPATH define (in pyconfig.h), and finally argv[0]. If PYTHONHOME is available, the PYTHONPATH define is expanded. These paths are separated by semicolon.
Without PYTHONHOME, PYTHONPATH define is appended to module_search_path as-is, and a semicolon comes **after** that. With PYTHONHOME, PYTHONPATH define is expanded, and there is no semicolon after it. Then, finally, when argv[0] is added to module_search_path, a semicolon is **prepended** before it.
This inconsistency in handling path delimiter leads to a case where two semicolons are next to each other (;;), which is translated to the current directory. It happens when PYTHONHOME is not found. The current directory is put in front of the application directory (argv[0]) causing a security issue whereby external modules might be imported inadvertently.
This patch makes semicolon handling consistent. A semicolon is appended at the end of every path component, except argv[0]. |
|
Date |
User |
Action |
Args |
2011-09-16 00:08:16 | Nam.Nguyen | set | recipients:
+ Nam.Nguyen |
2011-09-16 00:08:16 | Nam.Nguyen | set | messageid: <1316131696.55.0.834479609561.issue12989@psf.upfronthosting.co.za> |
2011-09-16 00:08:15 | Nam.Nguyen | link | issue12989 messages |
2011-09-16 00:08:15 | Nam.Nguyen | create | |
|