There are 2 *blocker* tickets for the sage-5.4 release and since these are security-related, I absolutely think these must be fixed. I'm open for discussing /how/ they should be fixed, but not /whether/ they should be fixed. Both tickets put users running Sage (in particular doctests) at risk from evil users on their system, so this is a huge concern for shared systems.
#13579: Python sys.path security risk This is the ticket which has been discussed a lot. I absolutely think we should fix Python's bad sys.path behaviour. There is a patch up for review at http://trac.sagemath.org/sage_trac/ticket/13579 #13595: LD_LIBRARY_PATH potential security risk In Sage, LD_LIBRARY_PATH ends with ":", which means the current working directory will be searched also. This must be fixed because of obvious security dangers. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To post to this group, send email to sage-devel@googlegroups.com. To unsubscribe from this group, send email to sage-devel+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel?hl=en.
