On Thu, 08 Sep 2016, Russ Allbery wrote:
> Lars Wirzenius writes:
> > Python doesn't put . in sys.path (the search path for imported
> > modules). It puts the absolute path where the script was found as the
> > first element. See https://docs.python.org/2/library/sys.html#sys.path
> > for details.
* Lars Wirzenius , 2016-09-08, 14:04:
See https://docs.python.org/2/library/sys.html#sys.path for details.
That page documents the cases where the empty string (effectively the
same as .) are inserted into the beginning of sys.path, but they're not
relevant for installed software: one is for wh
Vincent Lefevre writes:
> On 2016-09-08 08:44:54 -0700, Russ Allbery wrote:
>> That's a little better but not a lot better. It means that it's still
>> unsafe to run any script out of a world-writeable directory such as
>> /tmp, even if the sticky bit is set.
> Running things in /tmp or its sub
On 2016-09-08 08:44:54 -0700, Russ Allbery wrote:
> That's a little better but not a lot better. It means that it's still
> unsafe to run any script out of a world-writeable directory such as /tmp,
> even if the sticky bit is set.
Running things in /tmp or its subdirectories is prone to security
On Thu, 08 Sep 2016 at 08:44:54 -0700, Russ Allbery wrote:
> I don't see any inherent reason why that
> should have to be the case (other than, of course, that this Python
> behavior is long-standing and lots of software depends on it
I suspect that Python scripts relying on their own directory be
Lars Wirzenius writes:
> On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote:
>> Other languages do that too. E.g. python, Doesn't python have the same
>> concerns then too?
> Python doesn't put . in sys.path (the search path for imported
> modules). It puts the absolute path whe
On Thu, Sep 08, 2016 at 02:04:21PM +0300, Lars Wirzenius wrote:
> On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote:
> > On 29 August 2016 at 14:39, Dominic Hargreaves wrote:
> > > tl;dr: '.' is being removed from perl's @INC by default; some breakage
> > > in apps expected.
> >
On Thu, Sep 08, 2016 at 11:55:26AM +0100, Dimitri John Ledkov wrote:
> On 29 August 2016 at 14:39, Dominic Hargreaves wrote:
> > tl;dr: '.' is being removed from perl's @INC by default; some breakage
> > in apps expected.
> >
> > For some years[1], it's been known that perl's habit of including '.
Hello,
On 29 August 2016 at 14:39, Dominic Hargreaves wrote:
> tl;dr: '.' is being removed from perl's @INC by default; some breakage
> in apps expected.
>
> For some years[1], it's been known that perl's habit of including '.'
> in its module load path, (@INC) is potentially dangerous, since it
On Thu, Sep 08, 2016 at 11:19:47AM +0100, Ian Jackson wrote:
> Dominic Hargreaves writes ("Upcoming change to perl: current directory in
> @INC"):
> > tl;dr: '.' is being removed from perl's @INC by default; some breakage
> > in apps expected.
>
> I seem to have missed this. So, belatedly:
>
>
Ian Jackson writes ("Re: Upcoming change to perl: current directory in @INC"):
> And: is there a way I can make this change in an installation of
> jessie or earlier ? That would be useful for various testing
> purposes, and also might be appropriate in production systems
Dominic Hargreaves writes ("Upcoming change to perl: current directory in
@INC"):
> tl;dr: '.' is being removed from perl's @INC by default; some breakage
> in apps expected.
I seem to have missed this. So, belatedly:
Hooray!
Thank you for taking care of our users' security. I'm pleased to se
12 matches
Mail list logo
