Bug#493937: [Patch] Prevent loading of Python modules in working directory

James Vega jamessan at debian.org
Mon Nov 3 22:21:08 UTC 2008

On Mon, Nov 03, 2008 at 10:23:27PM +0100, Bram Moolenaar wrote:
> James -
> > Bram,
> > 
> > Vim's python interface calls PySys_SetArgv with an argv[0] that doesn't
> > resolve to a filename.  This causes Python to prepend sys.path with an
> > empty string which, due to Python's use of relative imports, allows the
> > possibility to run arbitrary code on the user's system if a file in
> > Vim's working directory matches the name of a python module a
> > Python-using vim script tries to import.
> > 
> > This should be fixed by Python 2.6 as it uses absolute imports by
> > default, but I have not been able to test it.  The attached patch fixes
> > the problem in Vim by removing any empty strings from sys.path.
> This is a Python bug, right?  One should never add an empty entry to
> sys.path.  And probably should not add a path relative to the executable
> anyway.

Yes, it is a Python bug but it's one that they chose to ignore.  The
code for PySys_SetArgv specifically adds the empty entry when it is not
able to resolve a filename (and therefore its parent directory).  The
default use of absolute imports in Python 2.6 (assuming that also
affects their C interface) will only workaround the issue of empty
entries in sys.path.

> Another solution would be to make the first argument to argv[] an
> absolute path, e.g. "/".  Is there something against that?

That still adds an unnecessary directory to sys.path.  In the case of
Vim, I think the safest measure is to remove the extra entry from
sys.path.  For other applications, where there is a directory from which
they want to load python plugins, it would make sense to add that
directory to sys.path.

GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20081103/47ddb9aa/attachment.pgp 

More information about the pkg-vim-maintainers mailing list