[issue12989] Consistently handle path separator in Py_GetPath on Windows

2019-07-26 Thread Steve Dower 


Steve Dower  added the comment:

This code has been significantly rewritten since this bug, and I believe it's 
no longer an issue.

--
resolution:  -> out of date
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2016-09-24 Thread Mark Lawrence 

Changes by Mark Lawrence :


--
nosy:  -BreamoreBoy

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2016-09-24 Thread Christian Heimes 

Christian Heimes added the comment:

Steve, is this bug still relevant and a security problem?

--
assignee:  -> steve.dower
nosy: +christian.heimes
versions: +Python 3.6, Python 3.7 -Python 3.2, Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2015-03-01 Thread Mark Lawrence 

Mark Lawrence added the comment:

The patch is three parts that adds one line, moves one line and deletes one 
line.  I've checked 2.6, 2.7, 3.2, 3.3, 3.4 and default.  In all cases the 
second part has already been implemented, the first and third have not.  
Assuming that these changes must still be done, do we also need additional unit 
tests?

--
nosy: +steve.dower, tim.golden, zach.ware

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2014-06-11 Thread STINNER Victor 

STINNER Victor added the comment:

Hum, it would be nice to have a unit test for this change.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2014-06-10 Thread Mark Lawrence 

Mark Lawrence added the comment:

If this is a security issue shouldn't it have been actioned?  If not does the 
type move to behaviour or what?

--
nosy: +BreamoreBoy

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2014-06-10 Thread Terry J. Reedy 

Changes by Terry J. Reedy tjre...@udel.edu:


--
versions: +Python 3.4, Python 3.5 -Python 2.6, Python 3.1

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2012-01-07 Thread Éric Araujo 

Changes by Éric Araujo mer...@netwok.org:


--
nosy: +eric.araujo

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-10-19 Thread STINNER Victor 

Changes by STINNER Victor victor.stin...@haypocalc.com:


--
nosy: +haypo

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-10-19 Thread Florent Xicluna 

Changes by Florent Xicluna florent.xicl...@gmail.com:


--
nosy: +flox

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-10-19 Thread Mark Hammond 

Mark Hammond skippy.hamm...@gmail.com added the comment:

The first chunk of that patch is for when pythonhome==NULL.  There is also a 
similar block just under it when MS_WINDOWS is not defined.  While I don't know 
in which cases this will be built without that define, it looks as though the 
*buf++ = DELIM; should also be added to that block?

Also, there is an existing conditional:
 if (argv0_path) {

which can never be false (as argv0_path is a char array).  It could be changed 
to if (argv0_path[0]) but ISTM that it could also be removed completely - ie, 
the 2 lines left in that block should have no effect in the case where the 
buffer is empty.

I haven't actually tested it though, but apart from the first comment above, it 
*looks* like it does the right thing :)

--
nosy: +mhammond

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-09-19 Thread Guido van Rossum 

Guido van Rossum gu...@python.org added the comment:

I'm not Barry or Benjamin, but having followed the thread on p...@python.org, 
this certainly looks like a security issue to me. As a second pair of eyes, I 
recommend MvL, who builds our Windows installers.

--
nosy: +gvanrossum, loewis

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-09-19 Thread Benjamin Peterson 

Benjamin Peterson benja...@python.org added the comment:

Approved for 3.1 as far as I'm concerned.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-09-19 Thread Terry J. Reedy 

Terry J. Reedy tjre...@udel.edu added the comment:

Brian, you marked this 'patch review', bypassing 'test needed'. Should this 
have any visible effect at the Python level that can be tested?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-09-16 Thread Terry J. Reedy 

Terry J. Reedy tjre...@udel.edu added the comment:

Barry, Benjamin, do you agree that this is a security issue as far as future 
2.6 and 3.1 security fix releases are concerned?

--
nosy: +barry, benjamin.peterson, terry.reedy

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-09-15 Thread Nam Nguyen 

New submission from Nam Nguyen bits...@gmail.com:

The module search path is constructed from PYTHONPATH env-var, then zip path, 
then HKCU PythonPath, then HKLM PythonPath, then PYTHONPATH define (in 
pyconfig.h), and finally argv[0]. If PYTHONHOME is available, the PYTHONPATH 
define is expanded. These paths are separated by semicolon.

Without PYTHONHOME, PYTHONPATH define is appended to module_search_path as-is, 
and a semicolon comes **after** that. With PYTHONHOME, PYTHONPATH define is 
expanded, and there is no semicolon after it. Then, finally, when argv[0] is 
added to module_search_path, a semicolon is **prepended** before it.

This inconsistency in handling path delimiter leads to a case where two 
semicolons are next to each other (;;), which is translated to the current 
directory. It happens when PYTHONHOME is not found. The current directory is 
put in front of the application directory (argv[0]) causing a security issue 
whereby external modules might be imported inadvertently.

This patch makes semicolon handling consistent. A semicolon is appended at the 
end of every path component, except argv[0].

--
components: Interpreter Core, Windows
files: getpath.consistent.delim.patch
keywords: patch
messages: 144111
nosy: Nam.Nguyen
priority: normal
severity: normal
status: open
title: Consistently handle path separator in Py_GetPath on Windows
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file23169/getpath.consistent.delim.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue12989] Consistently handle path separator in Py_GetPath on Windows

2011-09-15 Thread Brian Curtin 

Changes by Brian Curtin br...@python.org:


--
keywords: +needs review
stage:  - patch review
type:  - security
versions:  -Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12989
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com