[Python-Dev] Adding a new C API function in 2.6 (original) (raw)

Antoine Pitrou solipsis at pitrou.net
Thu May 20 21:32:53 CEST 2010

• Previous message: [Python-Dev] bug or feature? fixing argparse's default help value for version actions
• Next message: [Python-Dev] Adding a new C API function in 2.6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I would like to check that it's possible to a new C API function in the 2.6 branch, on the basis that it would help solve what seems to be reported as a security problem by several vendors (including Linux distributions) -- see http://bugs.python.org/issue5753 for a thorough discussion.

The change is rather minimal at the code level; it adds a new function PySys_SetArgvEx which has an additional flag telling it whether to update sys.path or not. The existing PySys_SetArgv function unconditionally updates sys.path, which can allow shadowing of stdlib or third-party library modules by an attacker.

Thank you

Antoine.

• Previous message: [Python-Dev] bug or feature? fixing argparse's default help value for version actions
• Next message: [Python-Dev] Adding a new C API function in 2.6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list