From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: John Sullivan Newsgroups: gmane.emacs.devel Subject: Re: python.el: why remove '' from sys.path? Date: Sun, 15 Mar 2009 21:46:18 -0400 Message-ID: <878wn66xzp.fsf@ashbery.wjsullivan.net> References: <36366a980903131140p7a66c5a2ncabec4df11edcce1@mail.gmail.com> <36366a980903131158m33544fa8u4083c036aca55720@mail.gmail.com> <87eiwy7atr.fsf@ashbery.wjsullivan.net> <871vsy8edj.fsf@cyd.mit.edu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1237169321 20543 80.91.229.12 (16 Mar 2009 02:08:41 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 16 Mar 2009 02:08:41 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Mar 16 03:09:58 2009 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1Lj2H6-0003mb-8R for ged-emacs-devel@m.gmane.org; Mon, 16 Mar 2009 03:09:56 +0100 Original-Received: from localhost ([127.0.0.1]:42107 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Lj2Fk-0007T4-2K for ged-emacs-devel@m.gmane.org; Sun, 15 Mar 2009 22:08:32 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Lj2Fe-0007RN-8h for emacs-devel@gnu.org; Sun, 15 Mar 2009 22:08:26 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Lj2FZ-0007RA-Gp for emacs-devel@gnu.org; Sun, 15 Mar 2009 22:08:25 -0400 Original-Received: from [199.232.76.173] (port=60603 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Lj2FZ-0007R7-D8 for emacs-devel@gnu.org; Sun, 15 Mar 2009 22:08:21 -0400 Original-Received: from main.gmane.org ([80.91.229.2]:56204 helo=ciao.gmane.org) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1Lj2FY-00045j-Sy for emacs-devel@gnu.org; Sun, 15 Mar 2009 22:08:21 -0400 Original-Received: from list by ciao.gmane.org with local (Exim 4.43) id 1Lj2FX-0005T0-Ga for emacs-devel@gnu.org; Mon, 16 Mar 2009 02:08:19 +0000 Original-Received: from c-66-31-28-102.hsd1.ma.comcast.net ([66.31.28.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 16 Mar 2009 02:08:19 +0000 Original-Received: from john by c-66-31-28-102.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 16 Mar 2009 02:08:19 +0000 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 43 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-66-31-28-102.hsd1.ma.comcast.net User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/23.0.60 (gnu/linux) Cancel-Lock: sha1:wZHrG+T2om7eU5gmIN6kUB9Th5E= X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:109648 Archived-At: Chong Yidong writes: > John Sullivan writes: > >> Why wouldn't the answer be to move '' to the end of sys.path, so that >> overloading the emacs module with something malicious in the current >> directory wouldn't be possible? Or how about checking the permissions of >> the current directory before removing '' from the path? Or checking an >> expected hash of the emacs and other imported-by-default modules? >> >> Having the current working directory be in the python path is pretty >> important to me and I think to other people as well. Moreover having the >> emacs python shell behave too differently from the standard python shell >> is a hassle. > > I'm open to revisiting this. IIRC, the issue with checking permissions > before removing '' from sys.path is that we weren't sure this would DTRT > on platforms like Windows. As for moving '' to the end of sys.path, > that would itself be an incompatibility. > Moving it to the end would also be an incompatibility, that's true, but a much less severe one. I could still import modules I'm hacking on which are in the current directory without having to modify sys.path, and I'd say that is the most common use case. I'm not sure about the Windows permissions issues -- I don't have any ability to help test that. > One thing to keep in mind here is that it may not be obvious to the user > that she is executing python code---if I understand correctly, the > python shell can be launched automatically when eldoc mode is on. > Right, and that makes sense to me as a legit reason why this is a security issue in this case but not in the case of a standard python shell. -- John Sullivan Emacs Planner Maintainer http://wjsullivan.net/PlannerMode.html GPG Key: AE8600B6