From: Stefan Monnier <monnier@iro.umontreal.ca>
Date: Wed, 17 Nov 2010 15:00:16 +0000 (-0500)
Subject: * lisp/progmodes/python.el (run-python): Explain why we remove the current
X-Git-Tag: emacs-pretest-24.0.90~104^2~275^2~438^2~45^2~213
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=bac2de0fe3fadd8c5642b6a61aa89d245850bed3;p=emacs.git

* lisp/progmodes/python.el (run-python): Explain why we remove the current
directory from sys.path.  Suggested by Eric Hanchrow <erich@cozi.com>.
---

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 2b137af08d9..85b003d67f6 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,5 +1,8 @@
 2010-11-17  Stefan Monnier  <monnier@iro.umontreal.ca>
 
+	* progmodes/python.el (run-python): Explain why we remove the current
+	directory from sys.path.  Suggested by Eric Hanchrow <erich@cozi.com>.
+
 	* progmodes/grep.el (grep-regexp-alist): Tighten the regexp (bug#7378).
 
 2010-11-16  Stefan Monnier  <monnier@iro.umontreal.ca>
diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el
index d2bb82e0580..a19445f47f5 100644
--- a/lisp/progmodes/python.el
+++ b/lisp/progmodes/python.el
@@ -1586,6 +1586,11 @@ buffer for a list of commands.)"
     (with-current-buffer
 	(let* ((cmdlist
 		(append (python-args-to-list cmd)
+                        ;; It's easy for the user to cause the process to be
+			;; started without realizing it (e.g. to perform
+			;; completion); for this reason loading files from the
+			;; current directory is a security risk.  See
+			;; http://article.gmane.org/gmane.emacs.devel/103569
 			'("-i" "-c" "import sys; sys.path.remove('')")))
 	       (path (getenv "PYTHONPATH"))
 	       (process-environment	; to import emacs.py