# HG changeset patch
# User Stefan Monnier <monnier@iro.umontreal.ca>
# Date 1290006016 18000
# Node ID bd93bfc2fc83fa759ff6cb3826994b973f033ae4
# Parent  4433803ef920e2a14098858e8dd3887317db638d
* lisp/progmodes/python.el (run-python): Explain why we remove the current
directory from sys.path.  Suggested by Eric Hanchrow <erich@cozi.com>.

diff -r 4433803ef920 -r bd93bfc2fc83 lisp/ChangeLog
--- a/lisp/ChangeLog	Wed Nov 17 09:54:15 2010 -0500
+++ b/lisp/ChangeLog	Wed Nov 17 10:00:16 2010 -0500
@@ -1,5 +1,8 @@
 2010-11-17  Stefan Monnier  <monnier@iro.umontreal.ca>
 
+	* progmodes/python.el (run-python): Explain why we remove the current
+	directory from sys.path.  Suggested by Eric Hanchrow <erich@cozi.com>.
+
 	* progmodes/grep.el (grep-regexp-alist): Tighten the regexp (bug#7378).
 
 2010-11-16  Stefan Monnier  <monnier@iro.umontreal.ca>
diff -r 4433803ef920 -r bd93bfc2fc83 lisp/progmodes/python.el
--- a/lisp/progmodes/python.el	Wed Nov 17 09:54:15 2010 -0500
+++ b/lisp/progmodes/python.el	Wed Nov 17 10:00:16 2010 -0500
@@ -1586,6 +1586,11 @@
     (with-current-buffer
 	(let* ((cmdlist
 		(append (python-args-to-list cmd)
+                        ;; It's easy for the user to cause the process to be
+			;; started without realizing it (e.g. to perform
+			;; completion); for this reason loading files from the
+			;; current directory is a security risk.  See
+			;; http://article.gmane.org/gmane.emacs.devel/103569
 			'("-i" "-c" "import sys; sys.path.remove('')")))
 	       (path (getenv "PYTHONPATH"))
 	       (process-environment	; to import emacs.py