Issue 26414: os.defpath too permissive (original) (raw)

A bug has been filed against Solaris' internal version of Python, which is largely the same (including in this case) as the base version we get from python.org. The bug is that os.defpath starts with ':' and thus any Python script run with a null PATH environment variable will use the current working directory as its first entry. This is generally considered to be bad practice, and especially dangerous for anyone running with root privileges on a Unix box. So we intend to change Solaris' version of Python to elide this, i.e., to apply the attached patch to our 2.7 version and comparable patches to our 3.4 and 3.5 versions

As a precaution, I queried the security list before filing this bug, asking:

• Is this intentional? (Seems like it but I couldn't find any documentation to confirm.)
• If so, why? (Feel free to point me to any docs I missed.)
• If it is intentional, and we were to change our version anyway, do you know of any gotchas we should look out for? There were no regressions when I ran the Python test suite.

and got the following reply:

From: Guido van Rossum <guido@python.org> Date: Sat, 20 Feb 2016 09:29:11 -0800 Subject: Re: [PSRT] os.defpath too permissive

Wow. That looks like something really old. I think you can just file an issue with a patch for this at bugs.python.org. I agree that it should be fixed. I don't think there are many users that would be vulnerable, nor do I think that much code would break; the only use in the stdlib has os.environ.get("PATH", os.defpath) so in all practical cases it would get the user's $PATH variable (which is presumably safe) anyway.

So I am now filing this bug as suggested.

Linux man page for execvp(3) <http://man7.org/linux/man-pages/man3/execvp.3.html> says:

The default search path (used when the environment does not contain the variable PATH) shows some variation across systems. It generally includes /bin and /usr/bin (in that order) and may also include the current working directory. On some other systems, the current working is included after /bin and /usr/bin, as an anti-Trojan-horse measure. The glibc implementation long followed the traditional default where the current working directory is included at the start of the search path. However, some code refactoring during the development of glibc 2.24 caused the current working directory to be dropped altogether from the default search path. This accidental behavior change is considered mildly beneficial, and won't be reverted.

So while having cwd is os.defpath has some historical justification, now that glibc dropped it from its default PATH, it would be prudent for Python to follow the suit.