bug#19540: repeated ./././ in compiled modules

Mon, 19 Jan 2015 14:21:07 -0800 

Absolute paths work.  But this is really unsatisfactory IMO.  I develop code in 
modules and do so in many directories.  It would be quite painful to just use 
absolute paths.

I don't see what the big security thread is.   If really a problem, why does 
guile allow relative paths?

For comparison, Python will load modules in the current directory.

Nonetheless, I think "." is breaking the traceback with the "./" being added on 
reload.  When I was using "." I wasn't getting file, line information in 
tracebacks.  Now, without GUILE_LOAD_PATH set to ":$HOME/opt/guile" I get 
traceback info for modules in my current directory.

I think the following may be a candidate fix?

code is from guile-2.0.11, in file boot-9.scm, near line 1683:

(define (in-vicinity vicinity file)
  (let ((tail (let ((len (string-length vicinity)))
                (if (zero? len)
                    #f
                    (string-ref vicinity (- len 1))))))
    (string-append vicinity
                   (if (or (not tail) (file-name-separator? tail))
                       ""
                       file-name-separator-string)
                   file)))
;; FIX?
(define (new-in-vicinity vicinity file)
  (let ((tail (let ((len (string-length vicinity)))
                (if (or (zero? len) (string=? "." vicinity))
                    #f
                    (string-ref vicinity (- len 1))))))
    (string-append vicinity
                   (if (or (not tail) (file-name-separator? tail))
                       ""
                       file-name-separator-string)
                   file)))


On Jan 19, 2015, at 12:28 PM, Ludovic Courtès <[email protected]> wrote:

> Matt Wette <[email protected]> skribis:
> 
>> 1) I found that this problem persists across restarts of guile.  I have been 
>> debugging a module in current dir and I am seeing the path extend an extra 
>> "./" every time I type ",reload (lalr1).
>> 
>> 2) My environment includes
>>   GUILE_LOAD_PATH=.:/Users/mwette/opt/guile
> 
> The problem stems from the ‘.’ entry in the search path.  On one hand
> this is perfectly valid; on the other hand, it’s usually frowned upon,
> because you may end up executing possibly malicious code that just
> happens to be in $PWD.
> 
> All in all, I recommend using only absolute directory names in the
> search paths, which will also solve the initial problem.
> 
> Can you confirm?
> 
> Thanks,
> Ludo’.

Reply via email to