Erik Max Francis wrote: > [EMAIL PROTECTED] wrote: > > > Basically, someone could inject an arbirtrary script called 'python' > > into your path that does whatever (rm -fr /) under your user context > > when you run the script. But the same thing would happen if you run > > 'python test.py' instead of '/usr/local/bin/python test.py' to run a > > script that doesn't have a she-bang or hasn't been flagged as > > executable. Some admins will use a fully-qualified path for every > > command to guard against this; I think that can be overkill. > > The primary guard for this is not having publicly-writable things in > your PATH. In other words, this is the argument for not putting things > like /tmp or . (because you might cd to somewhere publicly writable like > /tmp) in your PATH, not really for avoiding /usr/bin/env in hash bangs. >
Yeah, I agree 100%. I guess the best way to put it is that if random people are creating scripts called 'python' in your path, you've got bigger problems than /usr/bin/env calling the wrong program or a plain old 'python test.py' doing the same. -- http://mail.python.org/mailman/listinfo/python-list
