--- python-21.el 2008/02/23 14:38:13 1.59 +++ python-21.el 2008/09/10 09:59:25 @@ -1475,6 +1476,10 @@ default `python-command', or argument NEW is non-nil. See also the documentation for `python-buffer'. +Note that, as a security measure, modules won't be loaded from the +current directory if this command is invoked initially in a +world-writable directory. + Runs the hook `inferior-python-mode-hook' \(after the `comint-mode-hook' is run). \(Type \\[describe-mode] in the process buffer for a list of commands.)" @@ -1502,9 +1507,25 @@ (generate-new-buffer "*Python*") (car cmdlist) nil (cdr cmdlist))) (setq-default python-buffer (current-buffer)) - (setq python-buffer (current-buffer))) - (accept-process-output (get-buffer-process python-buffer) 5) - (inferior-python-mode))) + (setq python-buffer (current-buffer)) + (accept-process-output (get-buffer-process python-buffer) 5) + (inferior-python-mode) + ;; There's a security risk if we're invoked in a word-writable + ;; directory (possibly just by finding the file with Eldoc + ;; enabled). An attacker could drop in a malicious os.py, for + ;; instance, which will get loaded by `import os', since '' + ;; heads sys.path when python is invoked interactively. So in + ;; that case, don't allow imports from the current directory. + ;; (Using `sys' initially is OK, since it's a builtin.) If + ;; the user subsequently chdirs into a world-writable + ;; directory, that's their lookout. It's more convenient to + ;; set things up here than in emacs.py, messing with sys.path + ;; around the initial use of `os'. See also comments below + ;; about code loading. + (when (logand 2 (file-modes default-directory)) ; world-writable + (message "Current directory world-writable --\ + suppressing Python imports from it") + (python-send-string "import sys; sys.path.remove('')"))))) (if (memq major-mode python-source-modes) (setq python-buffer (default-value 'python-buffer))) ; buffer-local ;; Load function definitions we need.