From bac2de0fe3fadd8c5642b6a61aa89d245850bed3 Mon Sep 17 00:00:00 2001
From: Stefan Monnier <monnier@iro.umontreal.ca>
Date: Wed, 17 Nov 2010 10:00:16 -0500
Subject: [PATCH] * lisp/progmodes/python.el (run-python): Explain why we
 remove the current directory from sys.path.  Suggested by Eric Hanchrow
 <erich@cozi.com>.

---
 lisp/ChangeLog           | 3 +++
 lisp/progmodes/python.el | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 2b137af08d9..85b003d67f6 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,5 +1,8 @@
 2010-11-17  Stefan Monnier  <monnier@iro.umontreal.ca>
 
+	* progmodes/python.el (run-python): Explain why we remove the current
+	directory from sys.path.  Suggested by Eric Hanchrow <erich@cozi.com>.
+
 	* progmodes/grep.el (grep-regexp-alist): Tighten the regexp (bug#7378).
 
 2010-11-16  Stefan Monnier  <monnier@iro.umontreal.ca>
diff --git a/lisp/progmodes/python.el b/lisp/progmodes/python.el
index d2bb82e0580..a19445f47f5 100644
--- a/lisp/progmodes/python.el
+++ b/lisp/progmodes/python.el
@@ -1586,6 +1586,11 @@ buffer for a list of commands.)"
     (with-current-buffer
 	(let* ((cmdlist
 		(append (python-args-to-list cmd)
+                        ;; It's easy for the user to cause the process to be
+			;; started without realizing it (e.g. to perform
+			;; completion); for this reason loading files from the
+			;; current directory is a security risk.  See
+			;; http://article.gmane.org/gmane.emacs.devel/103569
 			'("-i" "-c" "import sys; sys.path.remove('')")))
 	       (path (getenv "PYTHONPATH"))
 	       (process-environment	; to import emacs.py
-- 
2.11.4.GIT