> On Wed, Nov 17, 2010 at 22:58, Jakub Wilk <[email protected]> wrote: >> A number of packages in the archive sets the PYTHONPATH environment variable >> in an insecure way. They do something like: >> >> PYTHONPATH=/spam/eggs:$PYTHONPATH >> >> This is wrong, because if PYTHONPATH were originally unset or empty, current >> working directory would be added to sys.path.
I wonder if this class of vulnerabilities (inc the LD_LIBRARY_PATH ones) could be automatically warned about by lintian. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
