Package: distcc / 3.1-6.2

06_set-pythonpath-securely.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Description: Set PYTHONPATH securely
 A number of packages in the archive sets the PYTHONPATH environment
 variable in an insecure way. They do something like:
 .
       PYTHONPATH=/spam/eggs:$PYTHONPATH
 .
 This is wrong, because if PYTHONPATH were originally unset or empty,
 current working directory would be added to sys.path.
Origin: vendor, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605168;msg=5
Bug: http://code.google.com/p/distcc/issues/detail?id=109
Bug-Debian: http://bugs.debian.org/605168
Author: Steve M. Robbins <smr@debian.org>
Applied-Upstream: 3.2, http://code.google.com/p/distcc/source/detail?r=768

--- a/source/pump.in
+++ b/source/pump.in
@@ -285,7 +285,7 @@
     # of one asterisk) without filename expansion.
     eval \
       "PYTHONOPTIMIZE='$PYTHONOPTIMIZE' " \
-      "PYTHONPATH='$pythonpath::$PYTHONPATH' " \
+      "PYTHONPATH='$pythonpath${PYTHONPATH:+:$PYTHONPATH}' " \
       "'$PYTHON'"                       \
          "'$include_server'"            \
          --port "'$socket'"             \