Nick Coghlan added the comment:
If you have access to modify PYTHONPATH at all, you can already shadow almost
all standard library modules:
$ PYTHONPATH=/MY_CHOSEN_DIRECTORY python3 -m site
sys.path = [
'/home/ncoghlan',
'/MY_CHOSEN_DIRECTORY',
'/usr/lib64/python36.zip',
'/usr/lib64/python3.6',
'/usr/lib64/python3.6/lib-dynload',
'/home/ncoghlan/.local/lib/python3.6/site-packages',
'/usr/lib64/python3.6/site-packages',
'/usr/lib/python3.6/site-packages',
]
The only ones you can't shadow that way are builtin and frozen modules, and any
modules that get imported even before PYTHONPATH is processed. So no, this
doesn't open up any new attack vectors that weren't already present by design.
As far as whether or not it's worth fixing goes, yes, I think so - one of my
original motivations for writing PEP 432 was to allow the use of CPython data
structures when calculating the initial value of sys.path, and this is a nice
concrete example of a bug arising from the current implementation.
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue31210>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
