diff -up Python-2.6/Doc/c-api/init.rst.CVE-2008-5983 Python-2.6/Doc/c-api/init.rst
--- Python-2.6/Doc/c-api/init.rst.CVE-2008-5983 2008-01-05 15:33:46.000000000 -0500
+++ Python-2.6/Doc/c-api/init.rst 2010-06-04 17:20:40.585131325 -0400
@@ -22,6 +22,7 @@ Initialization, Finalization, and Thread
module: sys
triple: module; search; path
single: PySys_SetArgv()
+ single: PySys_SetArgvEx()
single: Py_Finalize()
Initialize the Python interpreter. In an application embedding Python, this
@@ -31,7 +32,7 @@ Initialization, Finalization, and Thread
the table of loaded modules (``sys.modules``), and creates the fundamental
modules :mod:`__builtin__`, :mod:`__main__` and :mod:`sys`. It also initializes
the module search path (``sys.path``). It does not set ``sys.argv``; use
- :cfunc:`PySys_SetArgv` for that. This is a no-op when called for a second time
+ :cfunc:`PySys_SetArgvEx` for that. This is a no-op when called for a second time
(without calling :cfunc:`Py_Finalize` first). There is no return value; it is a
fatal error if the initialization fails.
@@ -346,7 +347,7 @@ Initialization, Finalization, and Thread
``sys.version``.
-.. cfunction:: void PySys_SetArgv(int argc, char **argv)
+.. cfunction:: void PySys_SetArgvEx(int argc, char **argv, int updatepath)
.. index::
single: main()
@@ -361,9 +362,40 @@ Initialization, Finalization, and Thread
to initialize ``sys.argv``, a fatal condition is signalled using
:cfunc:`Py_FatalError`.
+ If *updatepath* is zero, this is all the function does. If *updatepath*
+ is non-zero, the function also modifies :data:`sys.path` according to the
+ following algorithm:
+
+ - If the name of an existing script is passed in ``argv[0]``, the absolute
+ path of the directory where the script is located is prepended to
+ :data:`sys.path`.
+ - Otherwise (that is, if *argc* is 0 or ``argv[0]`` doesn't point
+ to an existing file name), an empty string is prepended to
+ :data:`sys.path`, which is the same as prepending the current working
+ directory (``"."``).
+
+ .. note::
+ It is recommended that applications embedding the Python interpreter
+ for purposes other than executing a single script pass 0 as *updatepath*,
+ and update :data:`sys.path` themselves if desired.
+ See `CVE-2008-5983 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_.
+
+ On versions before 2.6.6, you can achieve the same effect by manually
+ popping the first :data:`sys.path` element after having called
+ :cfunc:`PySys_SetArgv`, for example using::
+
+ PyRun_SimpleString("import sys; sys.path.pop(0)\n");
+
+ .. versionadded:: 2.6.6
+
.. XXX impl. doesn't seem consistent in allowing 0/NULL for the params;
check w/ Guido.
+.. cfunction:: void PySys_SetArgv(int argc, char **argv)
+
+ This function works like :cfunc:`PySys_SetArgv` with *updatepath* set to 1.
+
+
.. _threads:
diff -up Python-2.6/Include/sysmodule.h.CVE-2008-5983 Python-2.6/Include/sysmodule.h
--- Python-2.6/Include/sysmodule.h.CVE-2008-5983 2008-04-12 19:44:07.000000000 -0400
+++ Python-2.6/Include/sysmodule.h 2010-06-04 17:18:41.819963896 -0400
@@ -11,6 +11,7 @@ PyAPI_FUNC(PyObject *) PySys_GetObject(c
PyAPI_FUNC(int) PySys_SetObject(char *, PyObject *);
PyAPI_FUNC(FILE *) PySys_GetFile(char *, FILE *);
PyAPI_FUNC(void) PySys_SetArgv(int, char **);
+PyAPI_FUNC(void) PySys_SetArgvEx(int, char **, int);
PyAPI_FUNC(void) PySys_SetPath(char *);
PyAPI_FUNC(void) PySys_WriteStdout(const char *format, ...)
diff -up Python-2.6/Misc/NEWS.CVE-2008-5983 Python-2.6/Misc/NEWS
--- Python-2.6/Misc/NEWS.CVE-2008-5983 2008-10-01 17:46:40.000000000 -0400
+++ Python-2.6/Misc/NEWS 2010-06-04 17:18:41.820965139 -0400
@@ -149,6 +149,14 @@ C-API
- Aliased PyObject_Bytes to PyObject_Str.
+C-API
+-----
+
+- Issue #5753: A new C API function, :cfunc:`PySys_SetArgvEx`, allows
+ embedders of the interpreter to set sys.argv without also modifying
+ sys.path. This helps fix `CVE-2008-5983
+ <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_.
+
Library
-------
diff -up Python-2.6/Python/sysmodule.c.CVE-2008-5983 Python-2.6/Python/sysmodule.c
--- Python-2.6/Python/sysmodule.c.CVE-2008-5983 2010-06-04 17:18:41.778963331 -0400
+++ Python-2.6/Python/sysmodule.c 2010-06-04 17:18:41.821965213 -0400
@@ -1522,7 +1522,7 @@ makeargvobject(int argc, char **argv)
}
void
-PySys_SetArgv(int argc, char **argv)
+PySys_SetArgvEx(int argc, char **argv, int updatepath)
{
#ifndef HAVE_CANONICALIZE_FILE_NAME
#if defined(HAVE_REALPATH)
@@ -1537,7 +1537,7 @@ PySys_SetArgv(int argc, char **argv)
Py_FatalError("no mem for sys.argv");
if (PySys_SetObject("argv", av) != 0)
Py_FatalError("can't assign sys.argv");
- if (path != NULL) {
+ if (updatepath && path != NULL) {
char *argv0 = argv[0];
char *p = NULL;
Py_ssize_t n = 0;
@@ -1687,6 +1687,12 @@ PySys_SetArgv(int argc, char **argv)
Py_DECREF(av);
}
+void
+PySys_SetArgv(int argc, char **argv)
+{
+ PySys_SetArgvEx(argc, argv, 1);
+}
+
/* APIs to write to sys.stdout or sys.stderr using a printf-like interface.
Adapted from code submitted by Just van Rossum.