Bug#493937: [Patch] Prevent loading of Python modules in working directory
James Vega
jamessan at debian.org
Mon Nov 3 22:21:08 UTC 2008
On Mon, Nov 03, 2008 at 10:23:27PM +0100, Bram Moolenaar wrote:
>
> James -
>
> > Bram,
> >
> > Vim's python interface calls PySys_SetArgv with an argv[0] that doesn't
> > resolve to a filename. This causes Python to prepend sys.path with an
> > empty string which, due to Python's use of relative imports, allows the
> > possibility to run arbitrary code on the user's system if a file in
> > Vim's working directory matches the name of a python module a
> > Python-using vim script tries to import.
> >
> > This should be fixed by Python 2.6 as it uses absolute imports by
> > default, but I have not been able to test it. The attached patch fixes
> > the problem in Vim by removing any empty strings from sys.path.
>
> This is a Python bug, right? One should never add an empty entry to
> sys.path. And probably should not add a path relative to the executable
> anyway.
Yes, it is a Python bug but it's one that they chose to ignore. The
code for PySys_SetArgv specifically adds the empty entry when it is not
able to resolve a filename (and therefore its parent directory). The
default use of absolute imports in Python 2.6 (assuming that also
affects their C interface) will only workaround the issue of empty
entries in sys.path.
> Another solution would be to make the first argument to argv[] an
> absolute path, e.g. "/". Is there something against that?
That still adds an unnecessary directory to sys.path. In the case of
Vim, I think the safest measure is to remove the extra entry from
sys.path. For other applications, where there is a directory from which
they want to load python plugins, it would make sense to add that
directory to sys.path.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20081103/47ddb9aa/attachment.pgp
More information about the pkg-vim-maintainers
mailing list