[issue16202] sys.path[0] security issues
Volker Braun added the comment: The fact that Python's own testsuite tripped over this proves that this is subtle enough to merit some special handling. 1) It is not, and has never been, a good idea to run/compile anything off /tmp. This isn't specific to Python, it is just common sense that you don't hand over control of directory contents to others. 2) Removing /tmp from sys.path upon startup is not enough to guarantee safety. Many Python modules will happily add it back. Just as a random example, see profile.py: "sys.path.insert(0, os.path.dirname(progname))". The aim of the patch should be to warn the user of the dangers of running code in /tmp, not trying to make it safe (and, therefore, implicitly encouraging it). 3) The patch is too restrictive in my opinion, it rules out some plausible and perfectly safe use cases. For example, root owns directory and wheel owns Python script. Or sharing a group with a trusted user. Just disallowing o+w would be enough to save the unwary from executing in /tmp. -- nosy: +vbraun ___ Python tracker <http://bugs.python.org/issue16202> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16202] sys.path[0] security issues
Volker Braun added the comment: > When is tempfile.mkdtemp ever missing It was added in Python 2.3, in the dark ages before that there was only tempfile.mktemp. Though I guess we can remove the fallback now... -- ___ Python tracker <http://bugs.python.org/issue16202> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17816] Weak*Dictionary KeyErrors during callbacks
Volker Braun added the comment: This is http://bugs.python.org/issue7105. The patch from there could easily be backported, I think. -- nosy: +vbraun ___ Python tracker <http://bugs.python.org/issue17816> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue18000] _md5 should be built if _ssl cannot be built
Volker Braun added the comment: This has been fixed for Python-3.3 in #14693. Attached is a straightforward Python-2.7.5 backport of the patch. -- keywords: +patch nosy: +vbraun Added file: http://bugs.python.org/file30304/hashlibfallbacks.patch ___ Python tracker <http://bugs.python.org/issue18000> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
