Author glyph
Recipients glyph, iankko, pitrou, psss
Date 2009-05-02.00:28:03
SpamBayes Score 3.96124e-09
Marked as misclassified No
Message-id <1241224086.28.0.489333684468.issue5753@psf.upfronthosting.co.za>
In-reply-to
Content
Antoine,

The problem is that apparently every program that embeds Python calls
PySys_SetArgv and does not understand the consequences of doing so.  For
example, a user running 'gedit' to edit some files in a potentially
insecure directory may not expect that starting the program there will
cause it to load python files from that directory.

The 'python' executable itself is not really "vulnerable" in quite the
same way, because if you (i.e. a developer) start 'python' in some
directory, you *do* typically expect that it will load code from that
directory.  For applications written *in* python, that have scripts in,
let's say, /usr/bin, the directory added to the path is /usr/bin, not
the application's working directory.
History
Date User Action Args
2009-05-02 00:28:06glyphsetrecipients: + glyph, pitrou, psss, iankko
2009-05-02 00:28:06glyphsetmessageid: <1241224086.28.0.489333684468.issue5753@psf.upfronthosting.co.za>
2009-05-02 00:28:05glyphlinkissue5753 messages
2009-05-02 00:28:03glyphcreate