Security hole comitted to crew

Jonathan S. Shapiro shap at
Fri Aug 31 10:28:00 CDT 2007

Brendan recently committed a well-intended change (URL below) to crew
that adds "." to the python path. This change is ill-advised. Dot is
generally excluded from the python path for security reasons. There is a
general concern, but there is a particular worry when hg is executed by

The stated problem was to make developer testing easier. Since we have
recently agreed on an hgrc feature that allows paths to be added
explicitly, this objective will very shortly be satisfied by a more
appropriate modification. I expect to supply a patch for path update in
the next day or two.

In the meantime, can we undo this change IMMEDIATELY before we forget
about this. It would be very unfortunate for a security error does not
propagate into crew stable!!

With apologies to Brendan, I think that a few more marginal days of
inconvenience is less important than the security risk here.
Jonathan S. Shapiro
Managing Directory
The EROS Group, LLC,

More information about the Mercurial-devel mailing list