[EMAIL PROTECTED] wrote: > Basically, someone could inject an arbirtrary script called 'python' > into your path that does whatever (rm -fr /) under your user context > when you run the script. But the same thing would happen if you run > 'python test.py' instead of '/usr/local/bin/python test.py' to run a > script that doesn't have a she-bang or hasn't been flagged as > executable. Some admins will use a fully-qualified path for every > command to guard against this; I think that can be overkill.
The primary guard for this is not having publicly-writable things in your PATH. In other words, this is the argument for not putting things like /tmp or . (because you might cd to somewhere publicly writable like /tmp) in your PATH, not really for avoiding /usr/bin/env in hash bangs. -- Erik Max Francis && [EMAIL PROTECTED] && http://www.alcyone.com/max/ San Jose, CA, USA && 37 20 N 121 53 W && AIM erikmaxfrancis We must all hang together, or, most assuredly, we will all hang separately. -- John Hancock -- http://mail.python.org/mailman/listinfo/python-list
