Antoine Pitrou <pit...@free.fr> added the comment: Hello Jan,
> 1, doesn't avoid the need to fix the issue (by calling > "PySys_SetArgvEx(argc, argv, 0);") in all current applications embedding > Python, As you said yourself, we don't want to break backwards compatibility for C API users -- especially between two minor versions such as 2.6.2 and 2.6.3. The current behaviour is certainly by design, otherwise it wouldn't be so complicated. Besides, the patch you proposed is fragile as it relies on a hard coded value for the executable name, and it also complexifies the behaviour even more. I don't think we should apply it in core Python. On the other hand, adding an /explicit/ option in the API minimizes the risk for confusion and signals clearly that an alternative is available. > I don't think > we can just rely on the fact, the developers will use it in a safe > way in the future Well, you can always shoot yourself in the foot in C, even without using the Python API. The patch just provides a practical way for Python-embedding applications to be safer. Then, it's up to application developers to do their job. > Wouldn't be possible to fix it 'only in Python' and prevent such > potential future malicious (mis)uses? AFAICT, not without risking breaking compatibility for perfectly well-behaved apps which would rely on the current behaviour. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue5753> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com