[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upcoming change to perl: current directory in @INC

On Thu, 08 Sep 2016, Russ Allbery wrote:
> Lars Wirzenius <liw@liw.fi> writes:
> > Python doesn't put . in sys.path (the search path for imported
> > modules). It puts the absolute path where the script was found as the
> > first element. See https://docs.python.org/2/library/sys.html#sys.path
> > for details.
> 
> That's a little better but not a lot better.  It means that it's still
> unsafe to run any script out of a world-writeable directory such as /tmp,
> even if the sticky bit is set.

And we have cases of this: I just filed #837534: apt-listchanges: postinst
runs a Python script out of /tmp/.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: