diff -up Python-2.6.2/Doc/c-api/init.rst.CVE-2008-5983 Python-2.6.2/Doc/c-api/init.rst

--- Python-2.6.2/Doc/c-api/init.rst.CVE-2008-5983	2009-04-05 17:26:31.000000000 -0400

+++ Python-2.6.2/Doc/c-api/init.rst	2010-06-04 11:19:30.750199971 -0400

@@ -22,6 +22,7 @@ Initialization, Finalization, and Thread

       module: sys

       triple: module; search; path

       single: PySys_SetArgv()

+      single: PySys_SetArgvEx()

       single: Py_Finalize()

    Initialize the Python interpreter.  In an application embedding  Python, this

@@ -31,7 +32,7 @@ Initialization, Finalization, and Thread

    the table of loaded modules (``sys.modules``), and creates the fundamental

    modules :mod:`__builtin__`, :mod:`__main__` and :mod:`sys`.  It also initializes

    the module search path (``sys.path``). It does not set ``sys.argv``; use

-   :cfunc:`PySys_SetArgv` for that.  This is a no-op when called for a second time

+   :cfunc:`PySys_SetArgvEx` for that.  This is a no-op when called for a second time

    (without calling :cfunc:`Py_Finalize` first).  There is no return value; it is a

    fatal error if the initialization fails.

@@ -346,7 +347,7 @@ Initialization, Finalization, and Thread

    ``sys.version``.

-.. cfunction:: void PySys_SetArgv(int argc, char **argv)

+.. cfunction:: void PySys_SetArgvEx(int argc, char **argv, int updatepath)

    .. index::

       single: main()

@@ -361,14 +362,41 @@ Initialization, Finalization, and Thread

    string.  If this function fails to initialize :data:`sys.argv`, a fatal

    condition is signalled using :cfunc:`Py_FatalError`.

-   This function also prepends the executed script's path to :data:`sys.path`.

-   If no script is executed (in the case of calling ``python -c`` or just the

-   interactive interpreter), the empty string is used instead.

+   If *updatepath* is zero, this is all the function does.  If *updatepath*

+   is non-zero, the function also modifies :data:`sys.path` according to the

+   following algorithm:

+

+   - If the name of an existing script is passed in ``argv[0]``, the absolute

+     path of the directory where the script is located is prepended to

+     :data:`sys.path`.

+   - Otherwise (that is, if *argc* is 0 or ``argv[0]`` doesn't point

+     to an existing file name), an empty string is prepended to

+     :data:`sys.path`, which is the same as prepending the current working

+     directory (``"."``).

+

+   .. note::

+      It is recommended that applications embedding the Python interpreter

+      for purposes other than executing a single script pass 0 as *updatepath*,

+      and update :data:`sys.path` themselves if desired.

+      See `CVE-2008-5983 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_.

+

+      On versions before 2.6.6, you can achieve the same effect by manually

+      popping the first :data:`sys.path` element after having called

+      :cfunc:`PySys_SetArgv`, for example using::

+

+         PyRun_SimpleString("import sys; sys.path.pop(0)\n");

+

+   .. versionadded:: 2.6.6

    .. XXX impl. doesn't seem consistent in allowing 0/NULL for the params;

       check w/ Guido.

+.. cfunction:: void PySys_SetArgv(int argc, char **argv)

+

+   This function works like :cfunc:`PySys_SetArgv` with *updatepath* set to 1.

+

+

 .. cfunction:: void Py_SetPythonHome(char *home)

    Set the default "home" directory, that is, the location of the standard

diff -up Python-2.6.2/Include/sysmodule.h.CVE-2008-5983 Python-2.6.2/Include/sysmodule.h

--- Python-2.6.2/Include/sysmodule.h.CVE-2008-5983	2008-04-12 19:44:07.000000000 -0400

+++ Python-2.6.2/Include/sysmodule.h	2010-06-04 11:19:30.747199764 -0400

@@ -11,6 +11,7 @@ PyAPI_FUNC(PyObject *) PySys_GetObject(c

 PyAPI_FUNC(int) PySys_SetObject(char *, PyObject *);

 PyAPI_FUNC(FILE *) PySys_GetFile(char *, FILE *);

 PyAPI_FUNC(void) PySys_SetArgv(int, char **);

+PyAPI_FUNC(void) PySys_SetArgvEx(int, char **, int);

 PyAPI_FUNC(void) PySys_SetPath(char *);

 PyAPI_FUNC(void) PySys_WriteStdout(const char *format, ...)

diff -up Python-2.6.2/Misc/NEWS.CVE-2008-5983 Python-2.6.2/Misc/NEWS

--- Python-2.6.2/Misc/NEWS.CVE-2008-5983	2010-06-04 11:19:30.730199353 -0400

+++ Python-2.6.2/Misc/NEWS	2010-06-04 11:19:30.749199965 -0400

@@ -111,6 +111,14 @@ Core and Builtins

   Valgrind.  This gives improved memory leak detection when running

   under Valgrind, while taking advantage of pymalloc at other times.

+C-API

+-----

+

+- Issue #5753: A new C API function, :cfunc:`PySys_SetArgvEx`, allows

+  embedders of the interpreter to set sys.argv without also modifying

+  sys.path.  This helps fix `CVE-2008-5983

+  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_.

+

 Library

 -------

diff -up Python-2.6.2/Python/sysmodule.c.CVE-2008-5983 Python-2.6.2/Python/sysmodule.c

--- Python-2.6.2/Python/sysmodule.c.CVE-2008-5983	2009-01-13 19:08:09.000000000 -0500

+++ Python-2.6.2/Python/sysmodule.c	2010-06-04 11:20:18.931825713 -0400

@@ -1528,7 +1528,7 @@ makeargvobject(int argc, char **argv)

 }

 void

-PySys_SetArgv(int argc, char **argv)

+PySys_SetArgvEx(int argc, char **argv, int updatepath)

 {

 #if defined(HAVE_REALPATH)

 	char fullpath[MAXPATHLEN];

@@ -1541,7 +1541,7 @@ PySys_SetArgv(int argc, char **argv)

 		Py_FatalError("no mem for sys.argv");

 	if (PySys_SetObject("argv", av) != 0)

 		Py_FatalError("can't assign sys.argv");

-	if (path != NULL) {

+	if (updatepath && path != NULL) {

 		char *argv0 = argv[0];

 		char *p = NULL;

 		Py_ssize_t n = 0;

@@ -1631,6 +1631,12 @@ PySys_SetArgv(int argc, char **argv)

 	Py_DECREF(av);

 }

+void

+PySys_SetArgv(int argc, char **argv)

+{

+    PySys_SetArgvEx(argc, argv, 1);

+}

+

 /* APIs to write to sys.stdout or sys.stderr using a printf-like interface.

    Adapted from code submitted by Just van Rossum.