From: Andrew M. Kuchling Date: Fri, 11 Jun 2010 01:07:06 +0000 (+0000) Subject: #5753: mention PySys_SetArgvEx() in 2.6 What's News X-Git-Tag: v2.6.6rc1~200 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=edbb0915408bd395edf90ca4e659c094a5d2cc5c;p=python #5753: mention PySys_SetArgvEx() in 2.6 What's News --- diff --git a/Doc/whatsnew/2.6.rst b/Doc/whatsnew/2.6.rst index ba4f87d975..da1256c1b1 100644 --- a/Doc/whatsnew/2.6.rst +++ b/Doc/whatsnew/2.6.rst @@ -1788,7 +1788,7 @@ changes, or look through the Subversion logs for all the details. were applied. (Maintained by Josiah Carlson; see :issue:`1736190` for one patch.) -* The :mod:`bsddb` module also has a new maintainer, Jesús Cea, and the package +* The :mod:`bsddb` module also has a new maintainer, Jesús Cea Avion, and the package is now available as a standalone package. The web page for the package is `www.jcea.es/programacion/pybsddb.htm `__. @@ -2992,6 +2992,33 @@ Changes to Python's build process and to the C API include: architectures (x86, PowerPC), 64-bit (x86-64 and PPC-64), or both. (Contributed by Ronald Oussoren.) +* A new function added in Python 2.6.6, :cfunc:`PySys_SetArgvEx`, sets + the value of ``sys.argv`` and can optionally update ``sys.path`` to + include the directory containing the script named by ``sys.argv[0]`` + depending on the value of an *updatepath* parameter. + + This function was added to close a security hole for applications + that embed Python. The old function, :cfunc:`PySys_SetArgv`, would + always update ``sys.path``, and sometimes it would add the current + directory. This meant that, if you ran an application embedding + Python in a directory controlled by someone else, attackers could + put a Trojan-horse module in the directory (say, a file named + :file:`os.py`) that your application would then import and run. + + If you maintain a C/C++ application that embeds Python, check + whether you're calling :cfunc:`PySys_SetArgv` and carefully consider + whether the application should be using :cfunc:`PySys_SetArgvEx` + with *updatepath* set to false. Note that using this function will + break compatibility with Python versions 2.6.5 and earlier; if you + have to continue working with earlier versions, you can leave + the call to :cfunc:`PySys_SetArgv` alone and call + ``PyRun_SimpleString("sys.path.pop(0)\n")`` afterwards to discard + the first ``sys.path`` component. + + Security issue reported as `CVE-2008-5983 + `_; + discussed in :issue:`5753`, and fixed by Antoine Pitrou. + * The BerkeleyDB module now has a C API object, available as ``bsddb.db.api``. This object can be used by other C extensions that wish to use the :mod:`bsddb` module for their own purposes. @@ -3294,6 +3321,15 @@ that may require changes to your code: scoping rules, also cause warnings because such comparisons are forbidden entirely in 3.0. +For applications that embed Python: + +* The :cfunc:`PySys_SetArgvEx` function was added in Python 2.6.6, + letting applications close a security hole when the existing + :cfunc:`PySys_SetArgv` function was used. Check whether you're + calling :cfunc:`PySys_SetArgv` and carefully consider whether the + application should be using :cfunc:`PySys_SetArgvEx` with + *updatepath* set to false. + .. ======================================================================