New submission from Nam Nguyen <bits...@gmail.com>: The module search path is constructed from PYTHONPATH env-var, then zip path, then HKCU PythonPath, then HKLM PythonPath, then PYTHONPATH define (in pyconfig.h), and finally argv[0]. If PYTHONHOME is available, the PYTHONPATH define is expanded. These paths are separated by semicolon.
Without PYTHONHOME, PYTHONPATH define is appended to module_search_path as-is, and a semicolon comes **after** that. With PYTHONHOME, PYTHONPATH define is expanded, and there is no semicolon after it. Then, finally, when argv[0] is added to module_search_path, a semicolon is **prepended** before it. This inconsistency in handling path delimiter leads to a case where two semicolons are next to each other (;;), which is translated to the current directory. It happens when PYTHONHOME is not found. The current directory is put in front of the application directory (argv[0]) causing a security issue whereby external modules might be imported inadvertently. This patch makes semicolon handling consistent. A semicolon is appended at the end of every path component, except argv[0]. ---------- components: Interpreter Core, Windows files: getpath.consistent.delim.patch keywords: patch messages: 144111 nosy: Nam.Nguyen priority: normal severity: normal status: open title: Consistently handle path separator in Py_GetPath on Windows versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file23169/getpath.consistent.delim.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12989> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
