Re: Untrusted search path vulnerabilities
Hello, Pythonistas,
in my slow learning of Python and of Python program packaging, here am
I again asking for advice:
On Wed, Nov 17, 2010 at 10:58:48PM +0100, Jakub Wilk wrote:
> A number of packages in the archive sets the PYTHONPATH environment
> variable in an insecure way. They do something like:
>
> PYTHONPATH=/spam/eggs:$PYTHONPATH
>
> This is wrong, because if PYTHONPATH were originally unset or empty,
> current working directory would be added to sys.path.
OK, so I may test if the content of the PYTHONPATH variable is empty
the way below, so that I can set the path in differenciated manners :
~~~~~~~~~~ start-script ~~~~~~~~~~~
#!/bin/sh
# Only append ${PYTHONPATH} if it actually contains something. Thus,
# test the length of the string in PYTHONPATH.
if [ "${#PYTHONPATH}" = "0" ]
then
PYTHONPATH=/usr/lib/mmass/mspy/plot
else
PYTHONPATH=/usr/lib/mmass/mspy/plot:${PYTHONPATH}
fi
export PYTHONPATH
exec python2.6 /usr/share/mmass/mmass.py
~~~~~~~ end ~~~~~~~
Is this correct ?
Thanks a lot for your kind help,
Ciao
Filippo
--
Best regards,
Filippo
--
Filippo Rusconi, PhD - CNRS - public key C78F687C
Author of ``massXpert'' at http://www.massxpert.org
Reply to: