James - > > > Vim's python interface calls PySys_SetArgv with an argv[0] that doesn't > > > resolve to a filename. This causes Python to prepend sys.path with an > > > empty string which, due to Python's use of relative imports, allows the > > > possibility to run arbitrary code on the user's system if a file in > > > Vim's working directory matches the name of a python module a > > > Python-using vim script tries to import. > > > > > > This should be fixed by Python 2.6 as it uses absolute imports by > > > default, but I have not been able to test it. The attached patch fixes > > > the problem in Vim by removing any empty strings from sys.path. > > > > This is a Python bug, right? One should never add an empty entry to > > sys.path. And probably should not add a path relative to the executable > > anyway. > > Yes, it is a Python bug but it's one that they chose to ignore. The > code for PySys_SetArgv specifically adds the empty entry when it is not > able to resolve a filename (and therefore its parent directory). The > default use of absolute imports in Python 2.6 (assuming that also > affects their C interface) will only workaround the issue of empty > entries in sys.path. > > > Another solution would be to make the first argument to argv[] an > > absolute path, e.g. "/". Is there something against that? > > That still adds an unnecessary directory to sys.path. In the case of > Vim, I think the safest measure is to remove the extra entry from > sys.path. For other applications, where there is a directory from which > they want to load python plugins, it would make sense to add that > directory to sys.path.
I suppose adding "/" won't break anything, but still isn't nice. Your solution indeed looks like the best solution. - Bram -- The CIA drives around in cars with the "Intel inside" logo. /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
