Re: Untrusted search path vulnerabilities
> On Wed, Nov 17, 2010 at 22:58, Jakub Wilk <jwilk@debian.org> wrote:
>> A number of packages in the archive sets the PYTHONPATH environment variable
>> in an insecure way. They do something like:
>>
>> PYTHONPATH=/spam/eggs:$PYTHONPATH
>>
>> This is wrong, because if PYTHONPATH were originally unset or empty, current
>> working directory would be added to sys.path.
I wonder if this class of vulnerabilities (inc the LD_LIBRARY_PATH
ones) could be automatically warned about by lintian.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: