Sounds good to me, since this is (a) a security fix that will make some vendors happy, and (b) only a C-level API. I expect that some apps embedding Python will use this API unconditionally and this break with earlier Python versions; this could be intentional because of the vulnerability (else why would they change their code to call the new API), or they can use an #if to check for a version >= 2.6.6.
--Guido On Thu, May 20, 2010 at 12:32 PM, Antoine Pitrou <solip...@pitrou.net> wrote: > > Hello, > > I would like to check that it's possible to a new C API function in the > 2.6 branch, on the basis that it would help solve what seems to be > reported as a security problem by several vendors (including Linux > distributions) -- see http://bugs.python.org/issue5753 for a thorough > discussion. > > The change is rather minimal at the code level; it adds a new function > PySys_SetArgvEx which has an additional flag telling it whether to > update sys.path or not. The existing PySys_SetArgv function > unconditionally updates sys.path, which can allow shadowing of stdlib > or third-party library modules by an attacker. > > Thank you > > Antoine. > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/guido%40python.org > -- --Guido van Rossum (python.org/~guido) _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
