From d5e269d8f15b189bc54ed48be1c92247a4e0c84c Mon Sep 17 00:00:00 2001
From: Wojciech Siewierski <wojciech.siewierski@onet.pl>
Date: Sat, 6 May 2017 22:11:34 +0200
Subject: Do not strip the current working directoy from sys.path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #861.

This code was assuming that cwd is being added to `sys.path` but
according to my investigation it isn't true. On the other hand, the
script directory is added to `sys.path`, which would be `/usr/bin/` in
this case. `/usr/bin/` is neither a vulnerability, nor affected by
this code, so I'm removing it.

I'm pasting my brief tests of the Python module loading behavior:

```
[root@de5476e76587 test]# tree
.
├── main.py
└── ranger
    └── __init__.py

1 directory, 2 files
[root@de5476e76587 test]# cat main.py
import ranger
print("Done")
[root@de5476e76587 test]# cat ranger/__init__.py
print("I'm a bad module doing bad stuff to good people.")
[root@de5476e76587 test]# ./main.py
I'm a bad module doing bad stuff to good people.
Done
[root@de5476e76587 test]# cd ../
[root@de5476e76587 ~]# ./test/main.py
I'm a bad module doing bad stuff to good people.
Done
[root@de5476e76587 ~]# cd -
/root/test
[root@de5476e76587 test]# mv main.py ..
[root@de5476e76587 test]# ../main.py
Done
[root@de5476e76587 test]# PATH=..:$PATH main.py
Done
[root@de5476e76587 test]# mv ../main.py .
[root@de5476e76587 test]# cd ..
[root@de5476e76587 ~]# PATH=$PWD/test:$PATH main.py
I'm a bad module doing bad stuff to good people.
Done
[root@de5476e76587 ~]#
```
---
 ranger.py | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'ranger.py')

diff --git a/ranger.py b/ranger.py
index 0046f371..72905a3c 100755
--- a/ranger.py
+++ b/ranger.py
@@ -32,10 +32,6 @@ from os.path import exists, abspath
 ARGV = sys.argv[1:sys.argv.index('--')] if '--' in sys.argv else sys.argv[1:]
 sys.dont_write_bytecode = '-c' in ARGV or '--clean' in ARGV
 
-# Don't import ./ranger when running an installed binary at /usr/.../ranger
-if __file__[:4] == '/usr' and exists('ranger') and abspath('.') in sys.path:
-    sys.path.remove(abspath('.'))
-
 # Start ranger
 import ranger  # NOQA pylint: disable=import-self,wrong-import-position
 sys.exit(ranger.main())  # pylint: disable=no-member
-- 
cgit 1.4.1-2-gfad0