From: John Sullivan <john@wjsullivan.net>
To: emacs-devel@gnu.org
Subject: Re: python.el: why remove '' from sys.path?
Date: Sun, 15 Mar 2009 21:46:18 -0400 [thread overview]
Message-ID: <878wn66xzp.fsf@ashbery.wjsullivan.net> (raw)
In-Reply-To: 871vsy8edj.fsf@cyd.mit.edu
Chong Yidong <cyd@stupidchicken.com> writes:
> John Sullivan <john@wjsullivan.net> writes:
>
>> Why wouldn't the answer be to move '' to the end of sys.path, so that
>> overloading the emacs module with something malicious in the current
>> directory wouldn't be possible? Or how about checking the permissions of
>> the current directory before removing '' from the path? Or checking an
>> expected hash of the emacs and other imported-by-default modules?
>>
>> Having the current working directory be in the python path is pretty
>> important to me and I think to other people as well. Moreover having the
>> emacs python shell behave too differently from the standard python shell
>> is a hassle.
>
> I'm open to revisiting this. IIRC, the issue with checking permissions
> before removing '' from sys.path is that we weren't sure this would DTRT
> on platforms like Windows. As for moving '' to the end of sys.path,
> that would itself be an incompatibility.
>
Moving it to the end would also be an incompatibility, that's true, but
a much less severe one. I could still import modules I'm hacking on
which are in the current directory without having to modify sys.path,
and I'd say that is the most common use case.
I'm not sure about the Windows permissions issues -- I don't have any
ability to help test that.
> One thing to keep in mind here is that it may not be obvious to the user
> that she is executing python code---if I understand correctly, the
> python shell can be launched automatically when eldoc mode is on.
>
Right, and that makes sense to me as a legit reason why this is a
security issue in this case but not in the case of a standard python
shell.
--
John Sullivan
Emacs Planner Maintainer
http://wjsullivan.net/PlannerMode.html
GPG Key: AE8600B6
prev parent reply other threads:[~2009-03-16 1:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-13 18:40 python.el: why remove '' from sys.path? Eric Hanchrow
2009-03-13 18:58 ` Eric Hanchrow
2009-03-15 21:09 ` John Sullivan
2009-03-16 1:07 ` Chong Yidong
2009-03-16 1:46 ` John Sullivan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878wn66xzp.fsf@ashbery.wjsullivan.net \
--to=john@wjsullivan.net \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.