Bug#605178: python-uno: Use of PYTHONPATH env var in an insecure way
On Thu, Dec 02, 2010 at 10:47:55PM +0100, Sandro Tosi wrote:
> yeah, sorry about that: the submits were done with mass-bug, but the
> tool is affected by a bug (#605235) that generated 3 identical reports
> instead of 3 for different versions (1:2.4.1+dfsg-1+lenny8 1:3.2.1-7,
> 1:3.3.0~beta2-2)
Ah, that explains the 3 bugs :), But mmh, 3 bugs for three different versions
would be buggy too, no? (Everything here is a ancestor of 1:2.4.1-x)
> sorry, I don't have an equivalent tcsh snippet. You can do it the
> "didactical" way, with
>
> if PYTHONPATH is set:
> do one thing
> else
> do something else
>
> > (BTW, the offending line is probably
> >
> > setenv PYTHONPATH .:$OOOHOME/program:$OOOHOME/program/pydemo:$OOOHOME/program/python/lib:$PYTHONPATH
> >
> > which is basically noop, as there's no internal python copy in our builds, and /pydemo doesn't exist
> > either, same as python scripts in $OOOHOME/program and especially since OOHOME is set as
> > "setenv OOOHOME /src4/OpenOffice.org1.1Beta2" :)
>
> the fact is that a guy can copy the demo/ dir contents in another dir
> and have '.' be added to PYTHONPATH with possible implications; in
Well, not unless he changes the paths to something working, and I somehow don't believe
that guy would use tcsh anyway, but point ;)
> this case '.' is even explicitly set in front of the PYTHONPATH line:
> why you need it?
*I* don't. it gets from upstream. But you're right, it's most probably unneeded.
Grüße/Regards,
René
--
.''`. René Engelhard -- Debian GNU/Linux Developer
: :' : http://www.debian.org | http://people.debian.org/~rene/
`. `' rene@debian.org | GnuPG-Key ID: D03E3E70
`- Fingerprint: E12D EA46 7506 70CF A960 801D 0AA0 4571 D03E 3E70
Reply to: