[Pkg-ime-devel] Bug#605171: ibus-anthy: Use of PYTHONPATH env var in an insecure way
morph at debian.org
Sat Nov 27 22:41:55 UTC 2010
User: debian-python at lists.debian.org
Jakub Wilk performed an analysis for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
Your package turns out to have script/module outside PATH (even if not
sure if vulnerable): you can find a complete log at .
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact debian-python at lists.debian.org in case of
More information about the Pkg-ime-devel