On 02/04/2017 08:19 AM, Wildman via Python-list wrote: > No, I do not know. You might try your question in > a linux specific group. Personally I don't understand > the danger in having the dot in the path. The './' > only means the current directory. DOS and Windows > has searched the current directory since their > beginning. Is that also dangerous?
Because of how the DOS and Windows command-line interpreters work it's slightly less dangerous. That's because a lot of commands are built into the interpreter. Commands like dir, type, etc. So a malicious download can't really override those with local copies. In linux, a lot of critical commands are actual programs in the search path. Commands like ls, cat, etc. So if . is in the path, it's far easier for a malicious download (or script) to place shadow programs in the current directory that will run when you try to use what you think is a system command. If strict user/root separation is maintained, then the damage can be mitigated somewhat. Except for something like a shadow copy of sudo that snags your password, then uses it to execute an arbitrary script as root using the real sudo. Game over. -- https://mail.python.org/mailman/listinfo/python-list
