bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local varia

From: Glenn Morris
Subject: bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable
Date: Sat, 13 Jun 2020 13:20:29 -0400
User-agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) 
I don't understand how python-shell-virtualenv-root can be considered a
safe local variable. Surely it controls what "python" executable gets run.

As a test, I did:

python3 -m venv /tmp/foo

I then replaced /tmp/foo/bin/python with a shell-script:

 #!/bin/bash
 echo oh-oh

I then ran:
emacs -Q --eval '(setq python-shell-virtualenv-root "/tmp/foo")' -f python-mode
C-c C-p

This gives an inferior Python buffer with contents:

  oh-oh

  Process Python finished

In other words, this looks like a recipe for arbitrary code execution.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]