How to get path of a .py script

Bernhard Herzog bh at intevation.de
Wed Dec 11 17:01:37 EST 2002

Previous message (by thread): How to get path of a .py script
Next message (by thread): problems with the types module
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"David Necas (Yeti)" <yeti at physics.muni.cz> writes:

> After I posted it, I realized this is a strong argument
> against using sys.path[0] for anything, because it allows
> a nasty symlink attack.

How? If using sys.path[0] for anything is a security problem, all python
scripts have it because Python looks in sys.path for modules.

> I can make it contain anything I want (I
> need write permissions in the directory which will appear
> there) by deliberately symlinking the script.

You'd still have to get someone to execute that symlink. If you can do
that you could just as well supply a real script doing whatever you
want. That's a well known security risk on Unix-like systems and the
reason one shouldn't have . in $PATH.

   Bernhard

-- 
Intevation GmbH                                 http://intevation.de/
Sketch                                 http://sketch.sourceforge.net/
MapIt!                                               http://mapit.de/

Previous message (by thread): How to get path of a .py script
Next message (by thread): problems with the types module
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-list mailing list