Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory.
Applications that trigger this vulnerability by calling PySys_SetArgv with a non-None argv need to make sure their sys.path is clean. An examplary patch can be found here:
Isn't it better to make python behave better here to not allow for such an easy security mistake?
There is a Gnome tracker bug for all their applications:
(In reply to comment #2)
> Isn't it better to make python behave better here to not allow for such an
> easy security mistake?
Yes, this behaviour is not properly specified in the API and some applications now hit this trap. However, changing behaviour always has the risk of other applications breaking, because they implicitly rely on it.
Personally, I'd prefer fixing those applications that rely on this fluke rather than having others add special handlers themselves, but this seems best decided by Python upstream or our maintainers. I am not aware whether this discussion has been brought to them, but there are some comments already in other trackers:
Covered by GLSA 201401-04
Closing as fixed