* lisp/progmodes/python.el (run-python): Explain why we remove the current

directory from sys.path.  Suggested by Eric Hanchrow <erich@cozi.com>.

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 2b137af08d9ffba7c382078797900073b793b509..85b003d67f684c4e998eb8fdb5f19f912fd8aece 100644 (file)
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,5 +1,8 @@
 2010-11-17  Stefan Monnier  <monnier@iro.umontreal.ca>
 
+       * progmodes/python.el (run-python): Explain why we remove the current
+       directory from sys.path.  Suggested by Eric Hanchrow <erich@cozi.com>.
+
        * progmodes/grep.el (grep-regexp-alist): Tighten the regexp (bug#7378).
 
 2010-11-16  Stefan Monnier  <monnier@iro.umontreal.ca>

diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el
index d2bb82e0580a6aa0333af332c35064852d3e5616..a19445f47f5d00409940a3b5726058b67ff1142a 100644 (file)
--- a/lisp/progmodes/python.el
+++ b/lisp/progmodes/python.el
@@ -1586,6 +1586,11 @@ buffer for a list of commands.)"
     (with-current-buffer
        (let* ((cmdlist
                (append (python-args-to-list cmd)
+                        ;; It's easy for the user to cause the process to be
+                       ;; started without realizing it (e.g. to perform
+                       ;; completion); for this reason loading files from the
+                       ;; current directory is a security risk.  See
+                       ;; http://article.gmane.org/gmane.emacs.devel/103569
                        '("-i" "-c" "import sys; sys.path.remove('')")))
               (path (getenv "PYTHONPATH"))
               (process-environment     ; to import emacs.py