[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#7454: python.el sys.path improperly removes current working director

From: Brendan Miller
Subject: bug#7454: python.el sys.path improperly removes current working directory
Date: Sun, 21 Nov 2010 12:36:29 -0800

On Sun, Nov 21, 2010 at 12:09 PM, Stefan Monnier
<address@hidden> wrote:
>>>> For unknown reasons, python.el's run-python removes the current
>>>> working directory from python's sys.path.
>>> The reasons are explained here
>>> http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html
>> Dave Love's upstream version has fixed this in a different way, by
>> avoiding module loading from world-writable directories.  I'll merge
>> this in.
> This makes the security hole smaller, but it's still present.  E.g. you
> may download an evil Python package into your home, then visit the files
> in Emacs (e.g. to see if these files look safe for use) and use some of
> python.el's features that happens to cause Python to be started: gotcha!
>        Stefan

It seems like there's a very simple solution to this that will keep
the security hole fixed, but still allow us to import modules from the
pwd normally.

Since the security hole is that we might import emacs.py from the
current working directory, the *only* place where we don't want the
pwd on the path is:
line 1578: (python-send-string "import emacs")


So the solution is just to add this single line after it:
(python-send-string "sys.path[0:0] = ['']")

Which adds the pwd (the empty string) back to the front of the path.

I currently have almost the same thing setup by running that in my
inferior-python-mode-hook, and it seems to work.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]