As I wrote on the trac ticket before, there is virtually no difference between "source foobar" in the shell and "import foobar" in Python, both will happily pull in somebody else's code. And nobody would dream of compiling a shared library into /tmp and then set LD_LIBRARY_PATH=/tmp to load it (in fact this might happen behind the scenes if you were to use libtool to compile something in /tmp). I don't see whats different if you put a Python script in /tmp, thats just ill-advised.
That the Python testsuite does exactly this is a serious mistake. On Thursday, October 11, 2012 8:10:02 PM UTC+1, Jeroen Demeyer wrote: > > On 2012-10-11 20:54, Robert Bradshaw wrote: > > This isn't just Python, it's a general issue of letting your import > > (including dynamic linking in C) paths be in control of a malicious > > user, or executing anything in world-writeable directories in general. > I actually do think it is "just Python", which is very insecure *by > default*. Of course one can always mess up, but /tmp is not going to > magically end up in $LD_LIBRARY_PATH by itself. In Python, /tmp might > end up in sys.path by itself. > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sage-devel?hl=en.
