Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!us.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!weretis.net!feeder4.news.weretis.net!newsreader4.netcologne.de!news.netcologne.de!xlned.com!feeder3.xlned.com!newsfeed.xs4all.nl!newsfeed3a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.008
X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'configure': 0.05; 'subject:text': 0.05; 'subject:Python': 0.06; 'lost.': 0.09; 'subject:editor': 0.09; 'cc:addr:python-list': 0.11; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'variables,': 0.16; 'wrote:': 0.18; 'file,': 0.19; 'cc:addr:python.org': 0.22; 'environment': 0.24; 'cc:2**0': 0.24; "i've": 0.25; 'header:In-Reply-To:1': 0.27; 'am,': 0.29; 'message- id:@mail.gmail.com': 0.30; "i'm": 0.30; 'agreed.': 0.31; "d'aprano": 0.31; 'sep': 0.31; 'steven': 0.31; 'run': 0.32; 'quite': 0.32; 'subject:with': 0.35; 'editor': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'really': 0.36; 'somebody': 0.38; 'whatever': 0.38; 'does': 0.39; 'system.': 0.39; 'how': 0.40; 'break': 0.61; 'safe': 0.72; 'hostile': 0.84; 'to:none': 0.92
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=yR+y9I9xPvZx/LGOjJ0dPj8Xn+NFeFI5KhwssJUDPu4=; b=vpZNahPag1MZ+BP1d87PVIhxpjlkXz3Xfx+ycmvNL/ZG0KP8wKvh15bZLlo+UFjjjc qLXSndvaQCYf2iGxu/MMi6UZRBApLUaVeYsOUYURQsptNCBk9q6VPa7jHQr7R+vH3fH5 CdZz+MDDnvGSfC9QhpLOPcpefzIiOby3oKHw/Dt9nUhPT1oD9UKIj0Wa9J/aMZCk1Gmt /HOvs1mdvw6iYb6hGjJ1fcGRhud9S3YBwHh5WH/z9Us5Mo5OzSKzFFt9vnZzhFf1dxHg m87KMT5oZqxhCbQkTPl606jlsVZWea0WJEogYspYN7U+hPTQXfHXLIssDM+xWPhAP1Is mADw==
MIME-Version: 1.0
X-Received: by 10.43.65.195 with SMTP id xn3mr8900032icb.48.1409610332100; Mon, 01 Sep 2014 15:25:32 -0700 (PDT)
In-Reply-To: <5404b4b5$0$29976$c3e8da3$5496439d@news.astraweb.com>
References: <54049ab7$0$29972$c3e8da3$5496439d@news.astraweb.com> <roy-FD5EAD.13055101092014@news.panix.com> <5404b4b5$0$29976$c3e8da3$5496439d@news.astraweb.com>
Date: Tue, 2 Sep 2014 08:25:32 +1000
Subject: Re: Editing text with an external editor in Python
From: Chris Angelico <rosuav@gmail.com>
Cc: "python-list@python.org" <python-list@python.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.13697.1409610340.18130.python-list@python.org>
Lines: 14
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1409610340 news.xs4all.nl 2956 [2001:888:2000:d::a6]:54174
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:77417

On Tue, Sep 2, 2014 at 4:02 AM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> I'm not really seeing how this is a security vulnerability. If somebody can
> break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment
> variables, I've already lost.

Agreed. If I'm calling on your program and setting EDITOR or
GIT_EDITOR or whatever to configure how you ask me to edit a file,
that's because it's *my* system. The aforementioned setup is actually
run as root; the 'editor' quite deliberately does almost nothing, but
I know it's safe because I'm the one in control, not because the
editor's sanitized.

ChrisA