Bug#493937: [Patch] Prevent loading of Python modules in working directory
Bram Moolenaar
Bram at moolenaar.net
Tue Nov 4 21:08:09 UTC 2008
James -
> > > Vim's python interface calls PySys_SetArgv with an argv[0] that doesn't
> > > resolve to a filename. This causes Python to prepend sys.path with an
> > > empty string which, due to Python's use of relative imports, allows the
> > > possibility to run arbitrary code on the user's system if a file in
> > > Vim's working directory matches the name of a python module a
> > > Python-using vim script tries to import.
> > >
> > > This should be fixed by Python 2.6 as it uses absolute imports by
> > > default, but I have not been able to test it. The attached patch fixes
> > > the problem in Vim by removing any empty strings from sys.path.
> >
> > This is a Python bug, right? One should never add an empty entry to
> > sys.path. And probably should not add a path relative to the executable
> > anyway.
>
> Yes, it is a Python bug but it's one that they chose to ignore. The
> code for PySys_SetArgv specifically adds the empty entry when it is not
> able to resolve a filename (and therefore its parent directory). The
> default use of absolute imports in Python 2.6 (assuming that also
> affects their C interface) will only workaround the issue of empty
> entries in sys.path.
>
> > Another solution would be to make the first argument to argv[] an
> > absolute path, e.g. "/". Is there something against that?
>
> That still adds an unnecessary directory to sys.path. In the case of
> Vim, I think the safest measure is to remove the extra entry from
> sys.path. For other applications, where there is a directory from which
> they want to load python plugins, it would make sense to add that
> directory to sys.path.
I suppose adding "/" won't break anything, but still isn't nice.
Your solution indeed looks like the best solution.
- Bram
--
The CIA drives around in cars with the "Intel inside" logo.
/// Bram Moolenaar -- Bram at Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
More information about the pkg-vim-maintainers
mailing list