On Tue, Sep 2, 2014 at 4:02 AM, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> wrote: > I'm not really seeing how this is a security vulnerability. If somebody can > break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment > variables, I've already lost.
Agreed. If I'm calling on your program and setting EDITOR or GIT_EDITOR or whatever to configure how you ask me to edit a file, that's because it's *my* system. The aforementioned setup is actually run as root; the 'editor' quite deliberately does almost nothing, but I know it's safe because I'm the one in control, not because the editor's sanitized. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
