* lisp/progmodes/python.el (run-python): Explain why we remove the current

directory from sys.path. Suggested by Eric Hanchrow <erich@cozi.com>.
author: Stefan Monnier 2010-11-17 10:00:16 -0500
committer: Stefan Monnier 2010-11-17 10:00:16 -0500
commit: bac2de0fe3fadd8c5642b6a61aa89d245850bed3 (patch)
tree: 018be5921e26b6703fcff0db4176800dd00757fa /lisp/progmodes/python.el
parent: c04f2ac06346dcdf6046d3c1612e843da17f3bd2 (diff)
download: emacs-bac2de0fe3fadd8c5642b6a61aa89d245850bed3.tar.gz
emacs-bac2de0fe3fadd8c5642b6a61aa89d245850bed3.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el
index d2bb82e0580..a19445f47f5 100644
--- a/lisp/progmodes/python.el
+++ b/lisp/progmodes/python.el
@@ -1586,6 +1586,11 @@ buffer for a list of commands.)"
    (with-current-buffer
        (let* ((cmdlist
                (append (python-args-to-list cmd)
+                        ;; It's easy for the user to cause the process to be
+                        ;; started without realizing it (e.g. to perform
+                        ;; completion); for this reason loading files from the
+                        ;; current directory is a security risk.  See
+                        ;; http://article.gmane.org/gmane.emacs.devel/103569
                        '("-i" "-c" "import sys; sys.path.remove('')")))
               (path (getenv "PYTHONPATH"))
               (process-environment     ; to import emacs.py
author	Stefan Monnier	2010-11-17 10:00:16 -0500
committer	Stefan Monnier	2010-11-17 10:00:16 -0500
commit	bac2de0fe3fadd8c5642b6a61aa89d245850bed3 (patch)
tree	018be5921e26b6703fcff0db4176800dd00757fa /lisp/progmodes/python.el
parent	c04f2ac06346dcdf6046d3c1612e843da17f3bd2 (diff)
download	emacs-bac2de0fe3fadd8c5642b6a61aa89d245850bed3.tar.gz emacs-bac2de0fe3fadd8c5642b6a61aa89d245850bed3.zip