Message 179897 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	takluyver
Recipients	takluyver
Date	2013-01-13.22:13:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1358115231.51.0.337758586749.issue16957@psf.upfronthosting.co.za>
In-reply-to

Content
There's a 'short circuit' in shutil.which(), described as 'If we're given a full path which matches the mode and it exists, we're done here.' It also matches if an executable file of the same name is present in the working directory, although on most Unix-y systems you need ./ to execute such files in a shell (i.e. ./foo, not just foo). This could fool code calling which() into thinking that a program is installed, when it is not. If we consider this a bug, one simple fix would be to only allow the short circuit with an absolute path, so the line if _access_check(cmd, mode): would become if os.path.isabs(cmd) and _access_check(cmd, mode):

There's a 'short circuit' in shutil.which(), described as 'If we're given a full path which matches the mode and it exists, we're done here.'

It also matches if an executable file of the same name is present in the working directory, although on most Unix-y systems you need ./ to execute such files in a shell (i.e. ./foo, not just foo).

This could fool code calling which() into thinking that a program is installed, when it is not.

If we consider this a bug, one simple fix would be to only allow the short circuit with an absolute path, so the line

    if _access_check(cmd, mode):

would become

    if os.path.isabs(cmd) and _access_check(cmd, mode):

History
Date	User	Action	Args
2013-01-13 22:13:51	takluyver	set	recipients: + takluyver
2013-01-13 22:13:51	takluyver	set	messageid: <1358115231.51.0.337758586749.issue16957@psf.upfronthosting.co.za>
2013-01-13 22:13:51	takluyver	link	issue16957 messages
2013-01-13 22:13:51	takluyver	create