#5753: mention PySys_SetArgvEx() in 2.6 What's News

2010-06-11 01:07:06 +00:00 · 2010-06-11 01:07:06 +00:00 · edbb091540
parent bc3376f66a
commit edbb091540
1 changed files with 37 additions and 1 deletions
--- a/Doc/whatsnew/2.6.rst
+++ b/Doc/whatsnew/2.6.rst
@ -1788,7 +1788,7 @@ changes, or look through the Subversion logs for all the details.
  were applied.  (Maintained by Josiah Carlson; see :issue:`1736190` for
  one patch.)

-* The :mod:`bsddb` module also has a new maintainer, Jesús Cea, and the package
+* The :mod:`bsddb` module also has a new maintainer, Jesús Cea Avion, and the package
  is now available as a standalone package.  The web page for the package is
  `www.jcea.es/programacion/pybsddb.htm
  <http://www.jcea.es/programacion/pybsddb.htm>`__.
@ -2992,6 +2992,33 @@ Changes to Python's build process and to the C API include:
  architectures (x86, PowerPC), 64-bit (x86-64 and PPC-64), or both.
  (Contributed by Ronald Oussoren.)

+* A new function added in Python 2.6.6, :cfunc:`PySys_SetArgvEx`, sets
+  the value of ``sys.argv`` and can optionally update ``sys.path`` to
+  include the directory containing the script named by ``sys.argv[0]``
+  depending on the value of an *updatepath* parameter.
+
+  This function was added to close a security hole for applications
+  that embed Python.  The old function, :cfunc:`PySys_SetArgv`, would
+  always update ``sys.path``, and sometimes it would add the current
+  directory.  This meant that, if you ran an application embedding
+  Python in a directory controlled by someone else, attackers could
+  put a Trojan-horse module in the directory (say, a file named
+  :file:`os.py`) that your application would then import and run.
+
+  If you maintain a C/C++ application that embeds Python, check
+  whether you're calling :cfunc:`PySys_SetArgv` and carefully consider
+  whether the application should be using :cfunc:`PySys_SetArgvEx`
+  with *updatepath* set to false.  Note that using this function will
+  break compatibility with Python versions 2.6.5 and earlier; if you
+  have to continue working with earlier versions, you can leave
+  the call to :cfunc:`PySys_SetArgv` alone and call
+  ``PyRun_SimpleString("sys.path.pop(0)\n")`` afterwards to discard
+  the first ``sys.path`` component.
+
+  Security issue reported as `CVE-2008-5983
+  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_;
+  discussed in :issue:`5753`, and fixed by Antoine Pitrou.
+
 * The BerkeleyDB module now has a C API object, available as
  ``bsddb.db.api``.   This object can be used by other C extensions
  that wish to use the :mod:`bsddb` module for their own purposes.
@ -3294,6 +3321,15 @@ that may require changes to your code:
  scoping rules, also cause warnings because such comparisons are forbidden
  entirely in 3.0.

+For applications that embed Python:
+
+* The :cfunc:`PySys_SetArgvEx` function was added in Python 2.6.6,
+  letting applications close a security hole when the existing
+  :cfunc:`PySys_SetArgv` function was used.  Check whether you're
+  calling :cfunc:`PySys_SetArgv` and carefully consider whether the
+  application should be using :cfunc:`PySys_SetArgvEx` with
+  *updatepath* set to false.
+
 .. ======================================================================