subject:"\[issue33053\] Running a module with `\-m` will add empty directory to sys.path"

[issue33053] Running a module with `-m` will add empty directory to sys.path

2018-03-16 Thread Ned Deily


Change by Ned Deily :


--
nosy: +ncoghlan

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33053] Running a module with `-m` will add empty directory to sys.path

2018-03-16 Thread Jakub Wilk


Jakub Wilk  added the comment:

FWIW, this behavior is documented:

https://docs.python.org/3/using/cmdline.html#cmdoption-m
"As with the -c option, the current directory will be added to the start of 
sys.path."

With the -c option, at least you could easily remove the sys.path element 
yourself:

   python -c 'import sys; sys.path.remove(""); ...'

(This works, because sys is always a builtin module, so it won't be imported 
from cwd.)

I don't see any obvious way to make "python -m foo" secure in untrusted cwd, 
though.
The best I could come up with is:

   python -c 'import sys; sys.path.remove(""); import runpy; 
runpy._run_module_as_main("foo")'

which is quite insane.

--
nosy: +jwilk

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33053] Running a module with `-m` will add empty directory to sys.path

2018-03-12 Thread Antti Haapala


New submission from Antti Haapala :

I think this is a really stupid security bug. Running a module with `-mmodule` 
seems to add '' as a path in sys.path, and in front. This is doubly wrong, 
because '' will stand for whatever the current working directory might happen 
to be at the time of the *subsequent import statements*, i.e. it is far worse 
than https://bugs.python.org/issue16202

I.e. whereas python3 /usr/lib/module.py wouldn't do that, python3 -mmodule 
would make it so that following a chdirs in code, imports would be executed 
from arbitrary locations. Verified on MacOS X, Ubuntu 17.10, using variety of 
Python versions up to 3.7.

--
components: Interpreter Core
messages: 313641
nosy: ztane
priority: normal
severity: normal
status: open
title: Running a module with `-m` will add empty directory to sys.path
type: security

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33053] Running a module with `-m` will add empty directory to sys.path

[issue33053] Running a module with `-m` will add empty directory to sys.path

[issue33053] Running a module with `-m` will add empty directory to sys.path

3 matches

Site Navigation

Mail list logo

Footer information