Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #77417

Re: Editing text with an external editor in Python

References <54049ab7$0$29972$c3e8da3$5496439d@news.astraweb.com> <roy-FD5EAD.13055101092014@news.panix.com> <5404b4b5$0$29976$c3e8da3$5496439d@news.astraweb.com>
Date 2014-09-02 08:25 +1000
Subject Re: Editing text with an external editor in Python
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.13697.1409610340.18130.python-list@python.org> (permalink)

Show all headers | View raw

On Tue, Sep 2, 2014 at 4:02 AM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> I'm not really seeing how this is a security vulnerability. If somebody can
> break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment
> variables, I've already lost.

Agreed. If I'm calling on your program and setting EDITOR or
GIT_EDITOR or whatever to configure how you ask me to edit a file,
that's because it's *my* system. The aforementioned setup is actually
run as root; the 'editor' quite deliberately does almost nothing, but
I know it's safe because I'm the one in control, not because the
editor's sanitized.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 02:11 +1000
  Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 02:35 +1000
    Re: Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 04:23 +1000
      Re: Editing text with an external editor in Python Tim Chase <python.list@tim.thechases.com> - 2014-09-01 15:06 -0500
        Re: Editing text with an external editor in Python alister <alister.nospam.ware@ntlworld.com> - 2014-09-02 08:35 +0000
          Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 18:45 +1000
            Re: Editing text with an external editor in Python alister <alister.nospam.ware@ntlworld.com> - 2014-09-03 08:06 +0000
          Re: Editing text with an external editor in Python Terry Reedy <tjreedy@udel.edu> - 2014-09-02 17:14 -0400
          Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-03 07:36 +1000
          Re: Editing text with an external editor in Python Terry Reedy <tjreedy@udel.edu> - 2014-09-02 21:49 -0400
          Re: Editing text with an external editor in Python Zachary Ware <zachary.ware+pylist@gmail.com> - 2014-09-02 22:03 -0500
      Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 08:30 +1000
  Re: Editing text with an external editor in Python Roy Smith <roy@panix.com> - 2014-09-01 13:06 -0400
    Re: Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 04:02 +1000
      Re: Editing text with an external editor in Python Cameron Simpson <cs@zip.com.au> - 2014-09-02 08:14 +1000
        Re: Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 13:18 +1000
      Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 08:25 +1000
  Re: Editing text with an external editor in Python gschemenauer3@gmail.com - 2014-09-01 19:24 -0700

csiph-web