Bug#493937: [Patch] Prevent loading of Python modules in working directory

Bram Moolenaar Bram at moolenaar.net
Tue Nov 4 21:08:09 UTC 2008 

James -

> > > Vim's python interface calls PySys_SetArgv with an argv[0] that doesn't
> > > resolve to a filename.  This causes Python to prepend sys.path with an
> > > empty string which, due to Python's use of relative imports, allows the
> > > possibility to run arbitrary code on the user's system if a file in
> > > Vim's working directory matches the name of a python module a
> > > Python-using vim script tries to import.
> > > 
> > > This should be fixed by Python 2.6 as it uses absolute imports by
> > > default, but I have not been able to test it.  The attached patch fixes
> > > the problem in Vim by removing any empty strings from sys.path.
> > 
> > This is a Python bug, right?  One should never add an empty entry to
> > sys.path.  And probably should not add a path relative to the executable
> > anyway.
> 
> Yes, it is a Python bug but it's one that they chose to ignore.  The
> code for PySys_SetArgv specifically adds the empty entry when it is not
> able to resolve a filename (and therefore its parent directory).  The
> default use of absolute imports in Python 2.6 (assuming that also
> affects their C interface) will only workaround the issue of empty
> entries in sys.path.
> 
> > Another solution would be to make the first argument to argv[] an
> > absolute path, e.g. "/".  Is there something against that?
> 
> That still adds an unnecessary directory to sys.path.  In the case of
> Vim, I think the safest measure is to remove the extra entry from
> sys.path.  For other applications, where there is a directory from which
> they want to load python plugins, it would make sense to add that
> directory to sys.path.

I suppose adding "/" won't break anything, but still isn't nice.
Your solution indeed looks like the best solution.

- Bram

-- 
The CIA drives around in cars with the "Intel inside" logo.

 /// Bram Moolenaar -- Bram at Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

More information about the pkg-vim-maintainers mailing list