* [PATCH] python.el(run-python): Explain why we remove the current directory from sys.path
@ 2009-03-13 19:01 eric.hanchrow
0 siblings, 0 replies; only message in thread
From: eric.hanchrow @ 2009-03-13 19:01 UTC (permalink / raw)
To: emacs-devel; +Cc: Eric Hanchrow
From: Eric Hanchrow <erich@cozi.com>
---
lisp/progmodes/python.el | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el
index 7221d8e..81d073a 100644
--- a/lisp/progmodes/python.el
+++ b/lisp/progmodes/python.el
@@ -1552,7 +1552,11 @@ buffer for a list of commands.)"
(with-current-buffer
(let* ((cmdlist
(append (python-args-to-list cmd)
- '("-i" "-c" "import sys; sys.path.remove('')")))
+ ;; Removing the current directory from
+ ;; sys.path prevents an attacker from tricking
+ ;; us into running malicious code. See
+ ;; http://article.gmane.org/gmane.emacs.devel/103569
+ '("-i" "-c" "import sys; sys.path.remove('')")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat "PYTHONPATH="
--
1.6.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2009-03-13 19:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-13 19:01 [PATCH] python.el(run-python): Explain why we remove the current directory from sys.path eric.hanchrow
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).