[Python-modules-team] Bug#605185: python-sqlobject: Use of PYTHONPATH env var in an insecure way
morph at debian.org
Sat Nov 27 22:45:57 UTC 2010
User: debian-python at lists.debian.org
Jakub Wilk performed an analysis for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
Your package turns out to ship vulnerable examples or contains
insecure advices: you can find a complete log at .
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact debian-python at lists.debian.org in case of
More information about the Python-modules-team