[Twisted-Python] Question regarding widgets
Moshe Zadka
twisted at moshez.org
Tue Nov 5 23:31:09 MST 2002
On Wed, 06 Nov 2002, Steve Waterbury <waterbug at beeblebrox.gsfc.nasa.gov> wrote:
> How is having "." on your PYTHONPATH a serious security hole?
> (Of course it shouldn't be on _root_'s PYTHONPATH, but how is
> it bad for a regular user?)
What if you run a Python program from /tmp? One of those smart programs
which do something like
'''
try:
import gtk
except ImportError:
gtk = None
'''
What if some malicious user put a gtk.py in /tmp which does something like
'''
open(os.path.expanduser("~/.secret"))
os.chmod(os.path.expanduser("~/.secret"), 0777)
'''
And to top it all, assume gtk is, indeed, not installed on this system.
More information about the Twisted-Python
mailing list