On Mon, Nov 03, 2008 at 10:23:27PM +0100, Bram Moolenaar wrote: > > James - > > > Bram, > > > > Vim's python interface calls PySys_SetArgv with an argv[0] that doesn't > > resolve to a filename. This causes Python to prepend sys.path with an > > empty string which, due to Python's use of relative imports, allows the > > possibility to run arbitrary code on the user's system if a file in > > Vim's working directory matches the name of a python module a > > Python-using vim script tries to import. > > > > This should be fixed by Python 2.6 as it uses absolute imports by > > default, but I have not been able to test it. The attached patch fixes > > the problem in Vim by removing any empty strings from sys.path. > > This is a Python bug, right? One should never add an empty entry to > sys.path. And probably should not add a path relative to the executable > anyway.
Yes, it is a Python bug but it's one that they chose to ignore. The code for PySys_SetArgv specifically adds the empty entry when it is not able to resolve a filename (and therefore its parent directory). The default use of absolute imports in Python 2.6 (assuming that also affects their C interface) will only workaround the issue of empty entries in sys.path. > Another solution would be to make the first argument to argv[] an > absolute path, e.g. "/". Is there something against that? That still adds an unnecessary directory to sys.path. In the case of Vim, I think the safest measure is to remove the extra entry from sys.path. For other applications, where there is a directory from which they want to load python plugins, it would make sense to add that directory to sys.path. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
signature.asc
Description: Digital signature
