[Bf-committers] [Patch]Solving security issues CVE-2008-1103 (partialy) and CVE-2008-4083

Martin Poirier theeth at yahoo.com
Wed Jan 20 21:15:07 CET 2010

--- On Wed, 1/20/10, Martin Poirier <theeth at yahoo.com> wrote:

> To be perfectly secure, we would need
> to remove all path that evaluates to current working
> directory.
> That includes ".", "./" and many others.
> Basically:
> import os
> sys.path = list(filter(lambda x: os.path.samefile(x, "."),
> sys.path))

replace with:

list(filter(lambda x: os.path.isabs(x) or not os.path.samefile(os.path.abspath(x), "."), sys.path))
If you only want to remove relative paths that resolve to the current directory (solves the problem of running in a lib path).


The new Internet Explorer® 8 - Faster, safer, easier.  Optimized for Yahoo!  Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/

More information about the Bf-committers mailing list