Re: [Python-ideas] Security: remove "." from sys.path?

On Mon, Jun 5, 2017 at 10:52 AM Chris Barker wrote: > On Mon, Jun 5, 2017 at 3:55 AM, Victor Stinner > wrote: > >> A minimum change would be to add the (empty string) at the end of >> sys.path in Python 3.7 rather than adding it at the start. >>

Re: [Python-ideas] Security: remove "." from sys.path?

On 6/5/17, Chris Barker wrote: > On Mon, Jun 5, 2017 at 3:55 AM, Victor Stinner > wrote: > >> A minimum change would be to add the (empty string) at the end of >> sys.path >> in Python 3.7 rather than adding it at the start. >> >> It would

Re: [Python-ideas] Security: remove "." from sys.path?

On Mon, Jun 5, 2017 at 3:55 AM, Victor Stinner wrote: > A minimum change would be to add the (empty string) at the end of sys.path > in Python 3.7 rather than adding it at the start. > > It would increase Python usability since it avoids the "random has no > randint()

Re: [Python-ideas] Security: remove "." from sys.path?

On Mon, Jun 5, 2017 at 4:14 AM, Nick Coghlan wrote: > The biggest problem with this approach is that it means that adding > new standard library modules becomes a backwards compatibility break - > scripts that used to work will now fail since they'll get the standard > library

Re: [Python-ideas] Security: remove "." from sys.path?

So it seems the best thing would be to have a system-python executable which always runs in isolated mode? In fact I could imagine that security-conscious distributions would only install system-python by default and relegate the ordinary python to some python-dev package. Stephan Op 5 jun.

Re: [Python-ideas] Security: remove "." from sys.path?

On 5 June 2017 at 20:55, Victor Stinner wrote: > A minimum change would be to add the (empty string) at the end of sys.path > in Python 3.7 rather than adding it at the start. > > It would increase Python usability since it avoids the "random has no > randint() function"

Re: [Python-ideas] Security: remove "." from sys.path?

On 5 June 2017 at 19:49, Stephan Houben wrote: > What about just adding the -I (isolated mode) flag to the #! line of > installed scripts? Fedora & derivatives generally do do that, but as others noted, it can sometimes cause issues with shebang line parsers. It's also easy

Re: [Python-ideas] Security: remove "." from sys.path?

Le 5 juin 2017 00:52, "Guido van Rossum" a écrit : I really don't want people to start using the "from . import foo" idiom for their first steps into programming. It seems a reasonable "defensive programming" maneuver to put in scripts and apps made by professional Python

Re: [Python-ideas] Security: remove "." from sys.path?

Would it not be a job for setuptools? Setuptools creates the scripts. Stephan Op 5 jun. 2017 12:12 schreef "Oleg Broytman" : On Mon, Jun 05, 2017 at 12:06:45PM +0200, Stephan Houben < stephan...@gmail.com> wrote: > What about doing it on the systems which *do* support it? >

Re: [Python-ideas] Security: remove "." from sys.path?

On Mon, Jun 05, 2017 at 12:06:45PM +0200, Stephan Houben wrote: > What about doing it on the systems which *do* support it? > (Which probably covers 99% of the installed base...) That's the job of Linux distribution packagers, not Python Core developers. > Stephan > >

Re: [Python-ideas] Security: remove "." from sys.path?

On Mon, Jun 05, 2017 at 09:59:35PM +1200, Greg Ewing wrote: > Stephan Houben wrote: > >What about just adding the -I (isolated mode) flag to the #! line of > >installed scripts? > > Not all unix systems support passing extra arguments on a #! line. In case of

Re: [Python-ideas] Security: remove "." from sys.path?

What about doing it on the systems which *do* support it? (Which probably covers 99% of the installed base...) Stephan Op 5 jun. 2017 11:59 schreef "Greg Ewing" : > Stephan Houben wrote: > >> What about just adding the -I (isolated mode) flag to the #! line of >>

Re: [Python-ideas] Security: remove "." from sys.path?

Stephan Houben wrote: What about just adding the -I (isolated mode) flag to the #! line of installed scripts? Not all unix systems support passing extra arguments on a #! line. -- Greg ___ Python-ideas mailing list Python-ideas@python.org

Re: [Python-ideas] Security: remove "." from sys.path?

What about just adding the -I (isolated mode) flag to the #! line of installed scripts? I was actually surprised this is not already done for the Python scripts in /use/bin on my Ubuntu box. Stephan Op 5 jun. 2017 02:52 schreef "Mike Miller" : > I'd like to throw

Re: [Python-ideas] Security: remove "." from sys.path?

I'd like to throw some cold water on this one, for the same reason I always add "." to the path in my shell, when some well-meaning soul has removed it. Why? It's 2017 and I've not shared a machine since the 1980's. I use immutable containers in the cloud that are not at this particular risk

Re: [Python-ideas] Security: remove "." from sys.path?

On Sun, Jun 4, 2017 at 6:51 PM, Guido van Rossum wrote: > I really don't want people to start using the "from . import foo" idiom > for their first steps into programming. It seems a reasonable "defensive > programming" maneuver to put in scripts and apps made by professional

Re: [Python-ideas] Security: remove "." from sys.path?

I really don't want people to start using the "from . import foo" idiom for their first steps into programming. It seems a reasonable "defensive programming" maneuver to put in scripts and apps made by professional Python programmers for surprise-free wide distribution, but (like many of those)

Re: [Python-ideas] Security: remove "." from sys.path?

On 4 June 2017 at 10:00, Greg Ewing wrote: > Is this really much of a security issue? Seems to me that > for someone to exploit it, they would have to inject a > malicious .py file alongside one of my script files. If > they can do that, they can probably do all kinds

Re: [Python-ideas] Security: remove "." from sys.path?

I'm not comfortable with the subject title of this thread. I'm comfortable with the experiences and solutions proposed by Nick. On Sat, Jun 3, 2017 at 8:16 PM, Greg Ewing wrote: > Soni L. wrote: > >> How about `import self.thing` (where "self" implies same dir as

Re: [Python-ideas] Security: remove "." from sys.path?

Soni L. wrote: How about `import self.thing` (where "self" implies same dir as the current .py That wouldn't provide quite the same functionality, since currently a module alongside the main py file can be imported from anywhere, including .py files inside a package. Also I think it would be

Re: [Python-ideas] Security: remove "." from sys.path?

Is this really much of a security issue? Seems to me that for someone to exploit it, they would have to inject a malicious .py file alongside one of my script files. If they can do that, they can probably do all kinds of bad things directly. -- Greg

Re: [Python-ideas] Security: remove "." from sys.path?

On Jun 3, 2017 2:45 PM, "Chris Angelico" wrote: On Sun, Jun 4, 2017 at 12:42 AM, Nick Coghlan wrote: >> But I don't think that running an application from the source without >> installing it is the most common way to run an application. Most users >>

Re: [Python-ideas] Security: remove "." from sys.path?

On Sun, Jun 4, 2017 at 12:42 AM, Nick Coghlan wrote: >> But I don't think that running an application from the source without >> installing it is the most common way to run an application. Most users >> install applications to use them, no? > > Scripts are very frequently run

Re: [Python-ideas] Security: remove "." from sys.path?

On 2 June 2017 at 02:30, Victor Stinner wrote: > Hi, > > Perl 5.26 succeeded to remove the current working directory from the > default include path (our Python sys.path): > >

Re: [Python-ideas] Security: remove "." from sys.path?

How about `import self.thing` (where "self" implies same dir as the current .py - if it's a dir-based package, then "self" is that dir) and `import super.thing` (where "super" implies parent package *locked to parent dir*. if there isn't any (top level package or main script), fail-by-default

Re: [Python-ideas] Security: remove "." from sys.path?

How about `import self.thing` (where "self" implies same dir as the current .py - if it's a dir-based package, then "self" is that dir) and `import super.thing` (where "super" implies parent package *locked to parent dir*. if there isn't any (top level package or main script), fail-by-default

Re: [Python-ideas] Security: remove "." from sys.path?

On Sat, Jun 3, 2017 at 8:36 PM, Steven D'Aprano wrote: > On Fri, Jun 02, 2017 at 12:36:59PM +1000, Chris Angelico wrote: > > [...] >> > I expect that moving '' to the end of sys.path will be a less disruptive >> > change than removing it. >> >> This is true. However, anything

Re: [Python-ideas] Security: remove "." from sys.path?

On Fri, Jun 02, 2017 at 12:36:59PM +1000, Chris Angelico wrote: [...] > > I expect that moving '' to the end of sys.path will be a less disruptive > > change than removing it. > > This is true. However, anything that depends on the current behaviour > (intentionally or otherwise) would be just

Re: [Python-ideas] Security: remove "." from sys.path?

On 2 June 2017 at 20:02, Victor Stinner wrote: > 2017-06-02 9:12 GMT+02:00 Greg Ewing : >> Why do you want to change it? > > To make Python more secure. To prevent untrusted modules hijacking > stdlib modules on purpose to inject code for

Re: [Python-ideas] Security: remove "." from sys.path?

2017-06-02 9:12 GMT+02:00 Greg Ewing : > Why do you want to change it? To make Python more secure. To prevent untrusted modules hijacking stdlib modules on purpose to inject code for example. Victor ___ Python-ideas mailing

Re: [Python-ideas] Security: remove "." from sys.path?

On 1.06.2017 19:46, Chris Angelico wrote: On Fri, Jun 2, 2017 at 2:30 AM, Victor Stinner wrote: Perl 5.26 succeeded to remove the current working directory from the default include path (our Python sys.path):

Re: [Python-ideas] Security: remove "." from sys.path?

Victor Stinner wrote: You are right, it's the script directory that it added to sys.path and I would like to know if it would be possible to change that? Why do you want to change it? -- Greg ___ Python-ideas mailing list Python-ideas@python.org

Re: [Python-ideas] Security: remove "." from sys.path?

On Fri, Jun 2, 2017 at 11:05 AM, Steven D'Aprano wrote: > On Fri, Jun 02, 2017 at 09:22:16AM +1000, Chris Angelico wrote: > >> Ultimately, what I would like is for "import random" to be absolutely >> dependably going to grab the stdlib "random" module, or at very least, >>

Re: [Python-ideas] Security: remove "." from sys.path?

On Fri, Jun 02, 2017 at 09:22:16AM +1000, Chris Angelico wrote: > Ultimately, what I would like is for "import random" to be absolutely > dependably going to grab the stdlib "random" module, or at very least, > something that someone *deliberately* is shadowing that module with. > You shouldn't

Re: [Python-ideas] Security: remove "." from sys.path?

On Fri, Jun 2, 2017 at 8:58 AM, Victor Stinner wrote: >> (AIUI, the *current directory* is never on Python's path, but the > *script directory* is. They're the same thing a lot of the time.) > > Oh, it's very common that I run a script from its directory, so yeah script

Re: [Python-ideas] Security: remove "." from sys.path?

> (AIUI, the *current directory* is never on Python's path, but the *script directory* is. They're the same thing a lot of the time.) Oh, it's very common that I run a script from its directory, so yeah script directory = current directory on such case. Sorry for the confusion. You are right,

Re: [Python-ideas] Security: remove "." from sys.path?

On Thu, Jun 1, 2017 at 10:30 AM, Victor Stinner wrote: > Hi, > > Perl 5.26 succeeded to remove the current working directory from the > default include path (our Python sys.path): > >

Re: [Python-ideas] Security: remove "." from sys.path?

On Fri, Jun 2, 2017 at 2:30 AM, Victor Stinner wrote: > Perl 5.26 succeeded to remove the current working directory from the > default include path (our Python sys.path): > >

[Python-ideas] Security: remove "." from sys.path?

Hi, Perl 5.26 succeeded to remove the current working directory from the default include path (our Python sys.path): https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-(%22.%22)-from-@INC Would it technically possible to make this change in