[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Untrusted search path vulnerabilities

Hello, Pythonistas,

in my slow learning of Python and of Python program packaging, here am
I again asking for advice:

On Wed, Nov 17, 2010 at 10:58:48PM +0100, Jakub Wilk wrote:
> A number of packages in the archive sets the PYTHONPATH environment
> variable in an insecure way. They do something like:
> 
>       PYTHONPATH=/spam/eggs:$PYTHONPATH
> 
> This is wrong, because if PYTHONPATH were originally unset or empty,
> current working directory would be added to sys.path.

OK, so I may test if the content of the PYTHONPATH variable is empty
the way below, so that I can set the path in differenciated manners :

~~~~~~~~~~ start-script ~~~~~~~~~~~

#!/bin/sh

# Only append ${PYTHONPATH} if it actually contains something. Thus,
# test the length of the string in PYTHONPATH.
if [ "${#PYTHONPATH}" = "0" ]
then
    PYTHONPATH=/usr/lib/mmass/mspy/plot
else
    PYTHONPATH=/usr/lib/mmass/mspy/plot:${PYTHONPATH}
fi

export PYTHONPATH
exec python2.6 /usr/share/mmass/mmass.py

~~~~~~~ end ~~~~~~~

Is this correct ? 

Thanks a lot for your kind help,

Ciao
Filippo



-- 
Best regards,
                 Filippo

-- 
Filippo Rusconi, PhD - CNRS - public key C78F687C
Author of ``massXpert''     at http://www.massxpert.org
Reply to: