New submission from Antoine Pitrou <>:

Python supports a mode where the interpreter ignores environment variables such 

However, there are places in the stdlib where environment-sensitive decisions 
are made, without regard for the ignore-environment flag.

Examples include:
- ssl.get_default_verify_paths() queries SSL_CERT_FILE and SSL_CERT_DIR
- shutil.which() queries PATH
- the tempfile module queries TMPDIR, TEMP, TMP to select the defaut directory 
for temporary files

Do you think those need to be sanitized?

components: Library (Lib)
messages: 313393
nosy: alex, christian.heimes, pitrou
priority: normal
severity: normal
status: open
title: Review usage of environment variables in the stdlib
type: security
versions: Python 3.6, Python 3.7, Python 3.8

Python tracker <>
Python-bugs-list mailing list

Reply via email to