Glyph Lefkowitz <gl...@divmod.com> added the comment: Antoine,
The problem is that apparently every program that embeds Python calls PySys_SetArgv and does not understand the consequences of doing so. For example, a user running 'gedit' to edit some files in a potentially insecure directory may not expect that starting the program there will cause it to load python files from that directory. The 'python' executable itself is not really "vulnerable" in quite the same way, because if you (i.e. a developer) start 'python' in some directory, you *do* typically expect that it will load code from that directory. For applications written *in* python, that have scripts in, let's say, /usr/bin, the directory added to the path is /usr/bin, not the application's working directory. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue5753> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
