[Twisted-Python] Question regarding widgets

Moshe Zadka twisted at moshez.org
Tue Nov 5 23:31:09 MST 2002


On Wed, 06 Nov 2002, Steve Waterbury <waterbug at beeblebrox.gsfc.nasa.gov> wrote:

> How is having "." on your PYTHONPATH a serious security hole?  
> (Of course it shouldn't be on _root_'s PYTHONPATH, but how is 
> it bad for a regular user?)  

What if you run a Python program from /tmp? One of those smart programs
which do something like

'''
try:
   import gtk
except ImportError:
   gtk = None
'''

What if some malicious user put a gtk.py in /tmp which does something like
'''
open(os.path.expanduser("~/.secret"))
os.chmod(os.path.expanduser("~/.secret"), 0777)
'''

And to top it all, assume gtk is, indeed, not installed on this system.




More information about the Twisted-Python mailing list