Nick Coghlan <ncogh...@gmail.com> added the comment: Good catch Eryk, I misdiagnosed what was going on, since the current directory and the parent directory were the same location in Ned's particular example.
I double checked, and we resolve symlinks in path entries *before* performing the incorrect directory traversal ("..." below indicates the usual standard path entries, "/tmp" is the unexpected entry introduced by the bug), so it isn't possible to use a symlink to get a user-controlled directory onto the path: ``` $ ./python /tmp/spam /tmp/spam /tmp ... $ ln -s /tmp/spam /tmp/mydir/malicious $ ./python /tmp/mydir/malicious /tmp/mydir/malicious /tmp ... ``` That means that as far as I can tell, this is just a plain old bug, rather than a potential security concern (since privileged admin-controlled commands tend generally live in admin-controlled directories, as if they didn't, potential attackers would be able to replace them with arbitrary code directly) ---------- title: Zipfile & directory execution in 3.5.4 adds the current directory to sys.path -> Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32551> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com