summary refs log tree commit diff stats
path: root/ranger
diff options
context:
space:
mode:
authorWojciech Siewierski <wojciech.siewierski@onet.pl>2017-05-06 22:11:34 +0200
committerWojciech Siewierski <wojciech.siewierski@onet.pl>2017-05-06 22:11:34 +0200
commitd5e269d8f15b189bc54ed48be1c92247a4e0c84c (patch)
treea2936616602365f42f69554426d465c2416ad42b /ranger
parentccbcfc60810cba1ef79677a714746d40b34e34e7 (diff)
downloadranger-d5e269d8f15b189bc54ed48be1c92247a4e0c84c.tar.gz
Do not strip the current working directoy from sys.path
Fixes #861.

This code was assuming that cwd is being added to `sys.path` but
according to my investigation it isn't true. On the other hand, the
script directory is added to `sys.path`, which would be `/usr/bin/` in
this case. `/usr/bin/` is neither a vulnerability, nor affected by
this code, so I'm removing it.

I'm pasting my brief tests of the Python module loading behavior:

```
[root@de5476e76587 test]# tree
.
├── main.py
└── ranger
    └── __init__.py

1 directory, 2 files
[root@de5476e76587 test]# cat main.py
import ranger
print("Done")
[root@de5476e76587 test]# cat ranger/__init__.py
print("I'm a bad module doing bad stuff to good people.")
[root@de5476e76587 test]# ./main.py
I'm a bad module doing bad stuff to good people.
Done
[root@de5476e76587 test]# cd ../
[root@de5476e76587 ~]# ./test/main.py
I'm a bad module doing bad stuff to good people.
Done
[root@de5476e76587 ~]# cd -
/root/test
[root@de5476e76587 test]# mv main.py ..
[root@de5476e76587 test]# ../main.py
Done
[root@de5476e76587 test]# PATH=..:$PATH main.py
Done
[root@de5476e76587 test]# mv ../main.py .
[root@de5476e76587 test]# cd ..
[root@de5476e76587 ~]# PATH=$PWD/test:$PATH main.py
I'm a bad module doing bad stuff to good people.
Done
[root@de5476e76587 ~]#
```
Diffstat (limited to 'ranger')
0 files changed, 0 insertions, 0 deletions