#13579: Python sys.path security risk
-------------------------------------------------------+--------------------
Reporter: vbraun | Owner: mvngu
Type: defect | Status:
positive_review
Priority: blocker | Milestone:
sage-5.4
Component: doctest | Resolution:
Keywords: | Work issues:
Report Upstream: Reported upstream. No feedback yet. | Reviewers: Volker
Braun, Jeroen Demeyer
Authors: Jeroen Demeyer, Volker Braun | Merged in:
Dependencies: | Stopgaps:
-------------------------------------------------------+--------------------
Comment (by jdemeyer):
Replying to [comment:59 vbraun]:
> As I've explained before, its a terrible idea to have `test_executable`
rely on the hidden premise that somebody chdir'ed to a safe directory
before execution.
Serious question: why do you consider `test_executable()` as much more
dangerous than other doctesting? I.e. you seem to say that it's okay to
run doctests in `/tmp` except for `test_executable()`.
I think it's quite unlikely that somebody would doctest the Sage library
from `/tmp`.
The problem I have with your approach is that it unexpectedly changes
directory. In some cases, you might want to run a test from a given
directory, but that's impossible with your patch.
Would you accept a patch which checks in `test_executable()` that the
current directory is not world-writable and raises an exception if it is?
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:60>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
