From: Brendan Miller <catphive@catphive.net>
To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: 7454@debbugs.gnu.org, Chong Yidong <cyd@stupidchicken.com>
Subject: bug#7454: python.el sys.path improperly removes current working directory
Date: Sun, 21 Nov 2010 12:36:29 -0800 [thread overview]
Message-ID: <AANLkTikT=kG_LFnADazSVB4v9MdUpz1+OCqOpXFvt4S1@mail.gmail.com> (raw)
In-Reply-To: <jwv1v6exwyj.fsf-monnier+emacs@gnu.org>
On Sun, Nov 21, 2010 at 12:09 PM, Stefan Monnier
<monnier@iro.umontreal.ca> wrote:
>>>> For unknown reasons, python.el's run-python removes the current
>>>> working directory from python's sys.path.
>>> The reasons are explained here
>>> http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html
>
>> Dave Love's upstream version has fixed this in a different way, by
>> avoiding module loading from world-writable directories. I'll merge
>> this in.
>
> This makes the security hole smaller, but it's still present. E.g. you
> may download an evil Python package into your home, then visit the files
> in Emacs (e.g. to see if these files look safe for use) and use some of
> python.el's features that happens to cause Python to be started: gotcha!
>
>
> Stefan
>
It seems like there's a very simple solution to this that will keep
the security hole fixed, but still allow us to import modules from the
pwd normally.
Since the security hole is that we might import emacs.py from the
current working directory, the *only* place where we don't want the
pwd on the path is:
line 1578: (python-send-string "import emacs")
Correct?
So the solution is just to add this single line after it:
(python-send-string "sys.path[0:0] = ['']")
Which adds the pwd (the empty string) back to the front of the path.
I currently have almost the same thing setup by running that in my
inferior-python-mode-hook, and it seems to work.
next prev parent reply other threads:[~2010-11-21 20:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-21 0:13 bug#7454: python.el sys.path improperly removes current working directory Brendan Miller
2010-11-21 1:47 ` Glenn Morris
2010-11-21 16:08 ` Chong Yidong
2010-11-21 20:09 ` Stefan Monnier
2010-11-21 20:36 ` Brendan Miller [this message]
2010-11-21 16:10 ` Chong Yidong
2010-11-21 16:53 ` Chong Yidong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='AANLkTikT=kG_LFnADazSVB4v9MdUpz1+OCqOpXFvt4S1@mail.gmail.com' \
--to=catphive@catphive.net \
--cc=7454@debbugs.gnu.org \
--cc=cyd@stupidchicken.com \
--cc=monnier@iro.umontreal.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).