[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Untrusted search path vulnerabilities

> On Wed, Nov 17, 2010 at 22:58, Jakub Wilk <jwilk@debian.org> wrote:
>> A number of packages in the archive sets the PYTHONPATH environment variable
>> in an insecure way. They do something like:
>>      PYTHONPATH=/spam/eggs:$PYTHONPATH
>> This is wrong, because if PYTHONPATH were originally unset or empty, current
>> working directory would be added to sys.path.

I wonder if this class of vulnerabilities (inc the LD_LIBRARY_PATH
ones) could be automatically warned about by lintian.



Reply to: