Re: Untrusted search path vulnerabilities

[Mike Hommey <mh@glandium.org>]

On Thu, Nov 18, 2010 at 07:04:07PM +0800, Paul Wise wrote:
> > On Wed, Nov 17, 2010 at 22:58, Jakub Wilk <jwilk@debian.org> wrote:
> >> A number of packages in the archive sets the PYTHONPATH environment variable
> >> in an insecure way. They do something like:
> >>
> >>      PYTHONPATH=/spam/eggs:$PYTHONPATH
> >>
> >> This is wrong, because if PYTHONPATH were originally unset or empty, current
> >> working directory would be added to sys.path.
> 
> I wonder if this class of vulnerabilities (inc the LD_LIBRARY_PATH
> ones) could be automatically warned about by lintian.

I wonder if this wouldn't be our duty to remove the possibility of these
vulnerabilities at all. Who relies on these PATH variables features to
include the current directory instead of adding "." ? Why don't we fix
python, ld.so and other stuff doing the same such that empty entries are
skipped ?

Mike