I realize that to make diffs for the fixes I posted before, I
transferred edits from before I checked (and corrected!) them on a
different system to where the repo is; bother. Here are fixed patches
that don't produce a constant result from the test.
Full source is at <URL:http://www.loveshack.ukfsn.org/emacs/>.
--- python-21.el 2008/02/23 14:38:13 1.59
+++ python-21.el 2008/09/10 09:59:25
@@ -1475,6 +1476,10 @@
default `python-command', or argument NEW is non-nil. See also the
documentation for `python-buffer'.
+Note that, as a security measure, modules won't be loaded from the
+current directory if this command is invoked initially in a
+world-writable directory.
+
Runs the hook `inferior-python-mode-hook' \(after the
`comint-mode-hook' is run). \(Type \\[describe-mode] in the process
buffer for a list of commands.)"
@@ -1502,9 +1507,25 @@
(generate-new-buffer "*Python*")
(car cmdlist) nil (cdr cmdlist)))
(setq-default python-buffer (current-buffer))
- (setq python-buffer (current-buffer)))
- (accept-process-output (get-buffer-process python-buffer) 5)
- (inferior-python-mode)))
+ (setq python-buffer (current-buffer))
+ (accept-process-output (get-buffer-process python-buffer) 5)
+ (inferior-python-mode)
+ ;; There's a security risk if we're invoked in a word-writable
+ ;; directory (possibly just by finding the file with Eldoc
+ ;; enabled). An attacker could drop in a malicious os.py, for
+ ;; instance, which will get loaded by `import os', since ''
+ ;; heads sys.path when python is invoked interactively. So in
+ ;; that case, don't allow imports from the current directory.
+ ;; (Using `sys' initially is OK, since it's a builtin.) If
+ ;; the user subsequently chdirs into a world-writable
+ ;; directory, that's their lookout. It's more convenient to
+ ;; set things up here than in emacs.py, messing with sys.path
+ ;; around the initial use of `os'. See also comments below
+ ;; about code loading.
+ (when (/= 0 (logand 2 (file-modes default-directory))) ; world-writable
+ (message "Current directory world-writable --\
+ suppressing Python imports from it")
+ (python-send-string "import sys; sys.path.remove('')")))))
(if (memq major-mode python-source-modes)
(setq python-buffer (default-value 'python-buffer))) ; buffer-local
;; Load function definitions we need.
--- python.el 2008/02/23 14:40:01 1.12
+++ python.el 2008/09/10 10:03:13
@@ -1401,6 +1402,10 @@
default `python-command', or argument NEW is non-nil. See also the
documentation for `python-buffer'.
+Note that, as a security measure, modules won't be loaded from the
+current directory if this command is invoked initially in a
+world-writable directory.
+
Runs the hook `inferior-python-mode-hook' \(after the
`comint-mode-hook' is run). \(Type \\[describe-mode] in the process
buffer for a list of commands.)"
@@ -1428,9 +1433,25 @@
(generate-new-buffer "*Python*")
(car cmdlist) nil (cdr cmdlist)))
(setq-default python-buffer (current-buffer))
- (setq python-buffer (current-buffer)))
- (accept-process-output (get-buffer-process python-buffer) 5)
- (inferior-python-mode)))
+ (setq python-buffer (current-buffer))
+ (accept-process-output (get-buffer-process python-buffer) 5)
+ (inferior-python-mode)
+ ;; There's a security risk if we're invoked in a word-writable
+ ;; directory (possibly just by finding the file with Eldoc
+ ;; enabled). An attacker could drop in a malicious os.py, for
+ ;; instance, which will get loaded by `import os', since ''
+ ;; heads sys.path when python is invoked interactively. So in
+ ;; that case, don't allow imports from the current directory.
+ ;; (Using `sys' initially is OK, since it's a builtin.) If
+ ;; the user subsequently chdirs into a world-writable
+ ;; directory, that's their lookout. It's more convenient to
+ ;; set things up here than in emacs.py, messing with sys.path
+ ;; around the initial use of `os'. See also comments below
+ ;; about code loading.
+ (when (/= 0 (logand 2 (file-modes default-directory))) ; world-writable
+ (message "Current directory world-writable --\
+ suppressing Python imports from it")
+ (python-send-string "import sys; sys.path.remove('')")))))
(if (derived-mode-p 'python-mode)
(setq python-buffer (default-value 'python-buffer))) ; buffer-local
;; Load function definitions we need.
--- ./python.el 2008/09/10 18:52:37 1.1
+++ ./python.el 2008/09/10 19:07:15
@@ -1334,6 +1334,10 @@
default `python-command', or argument NEW is non-nil. See also the
documentation for `python-buffer'.
+Note that, as a security measure, modules won't be loaded from the
+current directory if this command is invoked initially in a
+world-writable directory.
+
Runs the hook `inferior-python-mode-hook' \(after the
`comint-mode-hook' is run). \(Type \\[describe-mode] in the process
buffer for a list of commands.)"
@@ -1360,6 +1364,22 @@
(setq python-buffer (current-buffer))
(accept-process-output (get-buffer-process python-buffer) 5)
(inferior-python-mode)
+ ;; There's a security risk if we're invoked in a word-writable
+ ;; directory (possibly just by finding the file with Eldoc
+ ;; enabled). An attacker could drop in a malicious os.py, for
+ ;; instance, which will get loaded by `import os', since ''
+ ;; heads sys.path when python is invoked interactively. So in
+ ;; that case, don't allow imports from the current directory.
+ ;; (Using `sys' initially is OK, since it's a builtin.) If
+ ;; the user subsequently chdirs into a world-writable
+ ;; directory, that's their lookout. It's more convenient to
+ ;; set things up here than in emacs.py, messing with sys.path
+ ;; around the initial use of `os'. See also comments below
+ ;; about code loading.
+ (when (/= 0 (logand 2 (file-modes default-directory))) ; world-writable
+ (message "Current directory world-writable --\
+ suppressing Python imports from it")
+ (python-send-string "import sys; sys.path.remove('')"))
;; Load function definitions we need.
;; Before the preoutput function was used, this was done via -c in
;; cmdlist, but that loses the banner and doesn't run the startup
_______________________________________________
gnu-emacs-sources mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/gnu-emacs-sources
