From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Brendan Miller Newsgroups: gmane.emacs.bugs Subject: bug#7454: python.el sys.path improperly removes current working directory Date: Sun, 21 Nov 2010 12:36:29 -0800 Message-ID: References: <87y68mk6bg.fsf@stupidchicken.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: dough.gmane.org 1290372312 5289 80.91.229.12 (21 Nov 2010 20:45:12 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Sun, 21 Nov 2010 20:45:12 +0000 (UTC) Cc: 7454@debbugs.gnu.org, Chong Yidong To: Stefan Monnier Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Nov 21 21:45:07 2010 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1PKGmN-0003IH-Bx for geb-bug-gnu-emacs@m.gmane.org; Sun, 21 Nov 2010 21:44:55 +0100 Original-Received: from localhost ([127.0.0.1]:58532 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PKGmM-0002r5-TD for geb-bug-gnu-emacs@m.gmane.org; Sun, 21 Nov 2010 15:44:54 -0500 Original-Received: from [140.186.70.92] (port=43770 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PKGm3-0002jG-Qt for bug-gnu-emacs@gnu.org; Sun, 21 Nov 2010 15:44:36 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PKGm2-0008Op-Io for bug-gnu-emacs@gnu.org; Sun, 21 Nov 2010 15:44:35 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:34659) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PKGm2-0008Oh-9J for bug-gnu-emacs@gnu.org; Sun, 21 Nov 2010 15:44:34 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1PKGZu-0004t7-FS; Sun, 21 Nov 2010 15:32:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Brendan Miller Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 21 Nov 2010 20:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 7454 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 7454-submit@debbugs.gnu.org id=B7454.129037148118781 (code B ref 7454); Sun, 21 Nov 2010 20:32:02 +0000 Original-Received: (at 7454) by debbugs.gnu.org; 21 Nov 2010 20:31:21 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PKGZE-0004ss-0u for submit@debbugs.gnu.org; Sun, 21 Nov 2010 15:31:20 -0500 Original-Received: from mail-ww0-f46.google.com ([74.125.82.46]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1PKGZB-0004sn-So for 7454@debbugs.gnu.org; Sun, 21 Nov 2010 15:31:18 -0500 Original-Received: by wwf26 with SMTP id 26so4804189wwf.15 for <7454@debbugs.gnu.org>; Sun, 21 Nov 2010 12:36:30 -0800 (PST) Original-Received: by 10.227.157.79 with SMTP id a15mr5047896wbx.208.1290371789750; Sun, 21 Nov 2010 12:36:29 -0800 (PST) Original-Received: by 10.227.132.78 with HTTP; Sun, 21 Nov 2010 12:36:29 -0800 (PST) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Sun, 21 Nov 2010 15:32:02 -0500 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:41807 Archived-At: On Sun, Nov 21, 2010 at 12:09 PM, Stefan Monnier wrote: >>>> For unknown reasons, python.el's run-python removes the current >>>> working directory from python's sys.path. >>> The reasons are explained here >>> http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html > >> Dave Love's upstream version has fixed this in a different way, by >> avoiding module loading from world-writable directories. =A0I'll merge >> this in. > > This makes the security hole smaller, but it's still present. =A0E.g. you > may download an evil Python package into your home, then visit the files > in Emacs (e.g. to see if these files look safe for use) and use some of > python.el's features that happens to cause Python to be started: gotcha! > > > =A0 =A0 =A0 =A0Stefan > It seems like there's a very simple solution to this that will keep the security hole fixed, but still allow us to import modules from the pwd normally. Since the security hole is that we might import emacs.py from the current working directory, the *only* place where we don't want the pwd on the path is: line 1578: (python-send-string "import emacs") Correct? So the solution is just to add this single line after it: (python-send-string "sys.path[0:0] =3D ['']") Which adds the pwd (the empty string) back to the front of the path. I currently have almost the same thing setup by running that in my inferior-python-mode-hook, and it seems to work.