Security hole comitted to crew

Benoit Boissinot bboissin at
Fri Aug 31 10:56:28 CDT 2007

On 8/31/07, Jonathan S. Shapiro <shap at> wrote:
> Brendan recently committed a well-intended change (URL below) to crew
> that adds "." to the python path. This change is ill-advised. Dot is
> generally excluded from the python path for security reasons. There is a
> general concern, but there is a particular worry when hg is executed by
> root.

It doesn't change the PYTHONPATH for hg, only for run-tests.
And it doesn't add '.', but the directory where the test-foo resides.
I agree that this brings some security concerns but it isn't as
alarming as your email sounds.



More information about the Mercurial-devel mailing list