[Pkg-corba-devel] Bug#605188: python-omniorb-doc: Use of PYTHONPATH env var in an insecure way
Floris Bruynooghe
flub at devork.be
Sat Nov 27 23:57:42 UTC 2010
severity #605188 minor
thanks
This is only in documentation, so I don't think it is RC.
Even then I'm not sure if it should be a bug at all, but I'll leave it
open for now so we can figure out what by the time we upload the next
version.
Regards
Floris
On 27 November 2010 22:45, Sandro Tosi <morph at debian.org> wrote:
> Package: python-omniorb-doc
> Version: 3.3-1
> Severity: important
> Tags: security
> User: debian-python at lists.debian.org
> Usertags: pythonpath
>
> Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
> an insecure way. Those packages do something like:
>
> PYTHONPATH=/spam/eggs:$PYTHONPATH
>
> This is wrong, because if PYTHONPATH were originally unset or empty,
> current working directory would be added to sys.path.
>
> [1] http://lists.debian.org/debian-python/2010/11/msg00045.html
>
> Your package turns out to ship vulnerable examples or contains
> insecure advices: you can find a complete log at [2].
>
> [2] http://people.debian.org/~morph/mbf/pythonpath.txt
>
> Some guidelines on how to fix these bugs: in the case given above, you
> can use something like
>
> PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
>
> (If you don't known this construct, grep for "Use Alternative Value"
> in the bash/dash manpage.)
>
> Also, in cases like
>
> PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
>
> or
>
> PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
>
> you shouldn't need to touch PYTHONPATH at all.
>
> Feel free to contact debian-python at lists.debian.org in case of
> help.
>
>
>
>
--
Debian GNU/Linux -- The Power of Freedom
www.debian.org | www.gnu.org | www.kernel.org
More information about the Pkg-corba-devel
mailing list