Nick Coghlan <[email protected]> added the comment:
This isn't considered a security issue, as running "python3" interactively
behaves in exactly the same way (i.e. tracking changes to the current working
directory for the duration of the session), and running "python3 script.py"
adds the full path to the current directory.
In all cases, the expectation is that end users will at least enable isolated
mode if they don't want to risk importing arbitrary code from user controlled
directories.
$ echo "print('Hello')" > foo.py
$ python3 -m foo
Hello
$ python3 -Im foo
/usr/bin/python3: No module named foo
However, I'm flagging this as an enhancement request for 3.8+ (with a reworded
issue title), as the non-isolated `-m` switch algorithm for sys.path[0]
calculation could be made more robust as follows:
1. Start out with "os.getcwd()" rather than the empty string
2. Once `__main__.__file__` has been calculated, delete sys.path[0] if __main__
was found somewhere else
A potentially related enhancement would be to modify directory & zipfile
execution to only look for `__main__.py` in `sys.path[0]` rather than searching
the whole of `sys.path` (which is what currently happens).
----------
title: Running a module with `-m` will add empty directory to sys.path -> Avoid
adding an empty directory to sys.path when running a module with `-m`
type: security -> enhancement
versions: +Python 3.8
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue33053>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
