Re: RFS: sima (autoqueue MPD client, find similar artists to queue)
On Fri, Nov 12, 2010 at 6:12 PM, chrysn <chrysn@fsfe.org> wrote:
> PYTHONPATH=/usr/share/sima/:$PYTHONPATH exec /usr/share/sima/mpd_sima.py "$@"
Please use this instead to avoid security issues caused by allowing
python to load modules from the working directory (which may have
untrusted files in it):
PYTHONPATH=/usr/share/sima/${PYTHONPATH:+:$PYTHONPATH} exec
/usr/share/sima/mpd_sima.py "$@"
c.f. all the recent LD_LIBRARY_PATH vulnerabilities for the reasoning
behind this.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: