Lars Wirzenius <l...@liw.fi> writes: > On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote:
>> Other languages do that too. E.g. python, Doesn't python have the same >> concerns then too? > Python doesn't put . in sys.path (the search path for imported > modules). It puts the absolute path where the script was found as the > first element. See https://docs.python.org/2/library/sys.html#sys.path > for details. That's a little better but not a lot better. It means that it's still unsafe to run any script out of a world-writeable directory such as /tmp, even if the sticky bit is set. I don't see any inherent reason why that should have to be the case (other than, of course, that this Python behavior is long-standing and lots of software depends on it, but that's probably true of Perl as well -- I already had to fix one place where I was relying on this behavior and hadn't realized I was). -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>