severity #605188 minor thanks This is only in documentation, so I don't think it is RC.
Even then I'm not sure if it should be a bug at all, but I'll leave it open for now so we can figure out what by the time we upload the next version. Regards Floris On 27 November 2010 22:45, Sandro Tosi <mo...@debian.org> wrote: > Package: python-omniorb-doc > Version: 3.3-1 > Severity: important > Tags: security > User: debian-pyt...@lists.debian.org > Usertags: pythonpath > > Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in > an insecure way. Those packages do something like: > > PYTHONPATH=/spam/eggs:$PYTHONPATH > > This is wrong, because if PYTHONPATH were originally unset or empty, > current working directory would be added to sys.path. > > [1] http://lists.debian.org/debian-python/2010/11/msg00045.html > > Your package turns out to ship vulnerable examples or contains > insecure advices: you can find a complete log at [2]. > > [2] http://people.debian.org/~morph/mbf/pythonpath.txt > > Some guidelines on how to fix these bugs: in the case given above, you > can use something like > > PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} > > (If you don't known this construct, grep for "Use Alternative Value" > in the bash/dash manpage.) > > Also, in cases like > > PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH > > or > > PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py > > you shouldn't need to touch PYTHONPATH at all. > > Feel free to contact debian-pyt...@lists.debian.org in case of > help. > > > > -- Debian GNU/Linux -- The Power of Freedom www.debian.org | www.gnu.org | www.kernel.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
