[Bf-committers] [Patch]Solving security issues CVE-2008-1103 (partialy) and CVE-2008-4083
Martin Poirier
theeth at yahoo.com
Wed Jan 20 21:15:07 CET 2010
--- On Wed, 1/20/10, Martin Poirier <theeth at yahoo.com> wrote:
> To be perfectly secure, we would need
> to remove all path that evaluates to current working
> directory.
>
> That includes ".", "./" and many others.
>
> Basically:
>
> import os
>
> sys.path = list(filter(lambda x: os.path.samefile(x, "."),
> sys.path))
replace with:
list(filter(lambda x: os.path.isabs(x) or not os.path.samefile(os.path.abspath(x), "."), sys.path))
If you only want to remove relative paths that resolve to the current directory (solves the problem of running in a lib path).
Martin
__________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
More information about the Bf-committers
mailing list