[Python-Dev] Adding a new C API function in 2.6 (original) (raw)
Guido van Rossum guido at python.org
Thu May 20 21:53:31 CEST 2010
- Previous message: [Python-Dev] Adding a new C API function in 2.6
- Next message: [Python-Dev] Adding a new C API function in 2.6
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sounds good to me, since this is (a) a security fix that will make some vendors happy, and (b) only a C-level API. I expect that some apps embedding Python will use this API unconditionally and this break with earlier Python versions; this could be intentional because of the vulnerability (else why would they change their code to call the new API), or they can use an #if to check for a version >= 2.6.6.
--Guido
On Thu, May 20, 2010 at 12:32 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
Hello, I would like to check that it's possible to a new C API function in the 2.6 branch, on the basis that it would help solve what seems to be reported as a security problem by several vendors (including Linux distributions) -- see http://bugs.python.org/issue5753 for a thorough discussion. The change is rather minimal at the code level; it adds a new function PySysSetArgvEx which has an additional flag telling it whether to update sys.path or not. The existing PySysSetArgv function unconditionally updates sys.path, which can allow shadowing of stdlib or third-party library modules by an attacker. Thank you Antoine.
Python-Dev mailing list Python-Dev at python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/guido%40python.org
-- --Guido van Rossum (python.org/~guido)
- Previous message: [Python-Dev] Adding a new C API function in 2.6
- Next message: [Python-Dev] Adding a new C API function in 2.6
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]