#13579: test_executable security risk
---------------------------------------------------------------+------------
Reporter: vbraun | Owner:
mvngu
Type: defect | Status:
needs_review
Priority: blocker | Milestone:
sage-5.4
Component: doctest | Resolution:
Keywords: | Work issues:
Report Upstream: Not yet reported upstream; Will do shortly. | Reviewers:
Volker Braun, Jeroen Demeyer
Authors: Jeroen Demeyer, Volker Braun | Merged in:
Dependencies: | Stopgaps:
---------------------------------------------------------------+------------
Comment (by jdemeyer):
Replying to [comment:19 vbraun]:
> I'm not saying that I'm entirely happy with how Python handles this, but
it shows that upstream is aware of the issue and thats how they decided to
deal with it.
I'm not sure whether upstream is really aware of the security consequences
of their `sys.path` handling.
My proposal would not disable the "script directory" situation completely:
I would add the script directory to `sys.path` '''only if it is safe''' to
do so. In normal situations (a script with 0755 permissions in a
directory with 0755 permissions owned by the same user), I would keep the
current `sys.path` handling.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:20>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.