#166: Configurable policy for importing external Python files
--------------------------+-------------------------------------------------
Reporter: giovannibajo | Owner: giovannibajo
Type: defect | Status: new
Priority: normal | Milestone: PyInstaller 1.5
Component: PyInstaller | Version:
Severity: blocker | Keywords:
--------------------------+-------------------------------------------------
Currently, PyInstaller adds the executable's directory to the sys.path,
making it possible to import external Python files. This is very useful in
some scenarios (eg: external plugins) but other people find that it is
even a security problem (since attackers can inject code by adding files
on the filesystem and relying on modules that are correctly missing; eg:
posix.py on a Windows system).
After [770], users that are aware of this can remove the executable's
directory from sys.path at runtime to avoid imports of external files.
This is of course sub-optimal (especially since most Python programmers
are unfamiliar with import internals).
I think that PyInstaller should simply let the user decide about which
behaviour he wants, through the spec file.
--
Ticket URL: <http://www.pyinstaller.org/ticket/166>
PyInstaller <http://www.pyinstaller.org>
PyInstaller Project
--
You received this message because you are subscribed to the Google Groups
"PyInstaller" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pyinstaller?hl=en.
