Issue 32551: Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/76732

classification

Title:	Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path
Type:	behavior	Stage:	resolved
Components:		Versions:	Python 3.5

process

Status:	closed	Resolution:	fixed
Dependencies:	29723	Superseder:
Assigned To:		Nosy List:	brett.cannon, christian.heimes, eryksun, larry, ncoghlan, nedbat, petr.viktorin, steve.dower
Priority:	normal	Keywords:	3.5regression

Created on 2018-01-14 15:53 by nedbat, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 5197	merged	ncoghlan, 2018-01-16 06:10

Messages (13)
msg309925 - (view)	Author: Ned Batchelder (nedbat) *	Date: 2018-01-14 15:53
The issue that I reported in https://bugs.python.org/issue29723 is now affecting 3.5.4: ``` $ pwd /Users/ned/foo $ tree syspathmain syspathmain └── __main__.py 0 directories, 1 file $ cat syspathmain/__main__.py import sys print("-" * 20) print(sys.version) print("\n".join(sys.path)) $ for pyth in /usr/local/pythonz/pythons/CPython-*/bin/python; do $pyth syspathmain; done /usr/local/pythonz/pythons/CPython-2.4.6/bin/python: 'syspathmain' is a directory, cannot continue -------------------- 2.6.9 (unknown, Jun 18 2016, 17:45:44) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-2.6.9/lib/python26.zip /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6 /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/plat-darwin /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/plat-mac /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/lib-tk /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/lib-old /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/lib-dynload /usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/site-packages -------------------- 2.7.10 (default, Jun 18 2016, 18:30:12) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-2.7.10/lib/python27.zip /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7 /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/plat-darwin /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/plat-mac /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/lib-tk /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/lib-old /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/lib-dynload /usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/site-packages -------------------- 2.7.11 (default, Jun 18 2016, 17:51:44) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-2.7.11/lib/python27.zip /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7 /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/plat-darwin /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/plat-mac /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/lib-tk /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/lib-old /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/lib-dynload /usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/site-packages -------------------- 2.7.12 (default, Nov 20 2016, 16:53:49) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-2.7.12/lib/python27.zip /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7 /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/plat-darwin /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/plat-mac /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/lib-tk /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/lib-old /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/lib-dynload /usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/site-packages -------------------- 2.7.13 (default, Dec 17 2016, 16:51:07) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-2.7.13/lib/python27.zip /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7 /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/plat-darwin /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/plat-mac /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/lib-tk /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/lib-old /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/lib-dynload /usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/site-packages -------------------- 2.7.13rc1 (default, Dec 4 2016, 15:34:21) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python27.zip /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7 /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/plat-darwin /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/plat-mac /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/lib-tk /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/lib-old /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/lib-dynload /usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/site-packages -------------------- 2.7.14 (default, Oct 4 2017, 09:45:53) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)] syspathmain /usr/local/pythonz/pythons/CPython-2.7.14/lib/python27.zip /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7 /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/plat-darwin /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/plat-mac /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/lib-tk /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/lib-old /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/lib-dynload /usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/site-packages -------------------- 2.7.14rc1 (default, Aug 27 2017, 08:01:38) [GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)] syspathmain /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python27.zip /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7 /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/plat-darwin /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/plat-mac /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/plat-mac/lib-scriptpackages /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/lib-tk /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/lib-old /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/lib-dynload /usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/site-packages -------------------- 3.1.5 (default, Jun 18 2016, 17:54:07) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.1.5/lib/python31.zip /usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1 /usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1/plat-darwin /usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1/lib-dynload /usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1/site-packages -------------------- 3.2.6 (default, Jun 18 2016, 17:56:34) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.2.6/lib/python32.zip /usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2 /usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2/plat-darwin /usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2/lib-dynload /usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2/site-packages -------------------- 3.3.6 (default, Jun 18 2016, 17:58:30) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.3.6/lib/python33.zip /usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3 /usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3/plat-darwin /usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3/lib-dynload /usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3/site-packages -------------------- 3.4.3 (default, Jun 18 2016, 22:29:43) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.4.3/lib/python34.zip /usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4 /usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4/plat-darwin /usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4/lib-dynload /usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4/site-packages -------------------- 3.4.4 (default, Jun 18 2016, 18:00:41) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.4.4/lib/python34.zip /usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4 /usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4/plat-darwin /usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4/lib-dynload /usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4/site-packages -------------------- 3.4.5 (default, Jun 27 2016, 09:25:27) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.4.5/lib/python34.zip /usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4 /usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4/plat-darwin /usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4/lib-dynload /usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4/site-packages -------------------- 3.4.6 (default, Jan 17 2017, 05:32:05) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.4.6/lib/python34.zip /usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4 /usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4/plat-darwin /usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4/lib-dynload /usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4/site-packages -------------------- 3.4.6rc1 (default, Jan 3 2017, 06:13:09) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python34.zip /usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4 /usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4/plat-darwin /usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4/lib-dynload /usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4/site-packages -------------------- 3.5.1 (default, Jun 18 2016, 17:20:31) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.5.1/lib/python35.zip /usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5 /usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5/plat-darwin /usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5/lib-dynload /usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5/site-packages -------------------- 3.5.2 (default, Jun 27 2016, 13:24:47) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.5.2/lib/python35.zip /usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5 /usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5/plat-darwin /usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5/lib-dynload /usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5/site-packages -------------------- 3.5.3 (default, Jan 17 2017, 05:34:29) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.5.3/lib/python35.zip /usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5 /usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5/plat-darwin /usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5/lib-dynload /usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5/site-packages -------------------- 3.5.3rc1 (default, Jan 3 2017, 06:16:13) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python35.zip /usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5 /usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5/plat-darwin /usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5/lib-dynload /usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5/site-packages -------------------- 3.5.4 (default, Jan 7 2018, 17:59:30) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)] syspathmain /Users/ned/foo /usr/local/pythonz/pythons/CPython-3.5.4/lib/python35.zip /usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5 /usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5/plat-darwin /usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5/lib-dynload /usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5/site-packages -------------------- 3.6.0 (default, Dec 23 2016, 07:11:25) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0/lib/python3.6/site-packages -------------------- 3.6.0a1 (default, Jun 18 2016, 17:17:21) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6/plat-darwin /usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6/site-packages -------------------- 3.6.0a2 (default, Jun 19 2016, 07:45:01) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6/plat-darwin /usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6/site-packages -------------------- 3.6.0a3 (default, Jul 12 2016, 08:17:28) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6/plat-darwin /usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6/site-packages -------------------- 3.6.0b1 (default, Sep 12 2016, 20:38:35) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python3.6/site-packages -------------------- 3.6.0b2 (default, Oct 10 2016, 21:30:05) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python3.6/site-packages -------------------- 3.6.0b3 (default, Nov 1 2016, 05:07:34) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python3.6/site-packages -------------------- 3.6.0b4 (default, Nov 22 2016, 06:27:47) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python3.6/site-packages -------------------- 3.6.0rc1 (default, Dec 7 2016, 06:45:00) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python3.6/site-packages -------------------- 3.6.0rc2 (default, Dec 17 2016, 07:50:27) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python3.6/site-packages -------------------- 3.6.1 (default, Mar 22 2017, 05:30:11) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.1/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.1/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.1/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.1/lib/python3.6/site-packages -------------------- 3.6.1rc1 (default, Mar 5 2017, 08:02:03) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] syspathmain /Users/ned/foo /usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python3.6/site-packages -------------------- 3.6.2 (default, Jul 17 2017, 07:05:09) [GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.2/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.2/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.2/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.2/lib/python3.6/site-packages -------------------- 3.6.2rc1 (default, Jun 18 2017, 16:38:24) [GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python3.6/site-packages -------------------- 3.6.2rc2 (default, Jul 8 2017, 07:07:22) [GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python3.6/site-packages -------------------- 3.6.3 (default, Oct 4 2017, 06:03:25) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.3/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.3/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.3/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.3/lib/python3.6/site-packages -------------------- 3.6.4 (default, Dec 19 2017, 08:11:42) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.4/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.4/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.4/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.4/lib/python3.6/site-packages -------------------- 3.6.4rc1 (default, Dec 6 2017, 06:09:07) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.38)] syspathmain /usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python36.zip /usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python3.6 /usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python3.6/lib-dynload /usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python3.6/site-packages -------------------- 3.7.0a1 (default, Sep 20 2017, 06:16:54) [GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)] syspathmain /usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python37.zip /usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python3.7 /usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python3.7/lib-dynload /usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python3.7/site-packages -------------------- 3.7.0a2 (default, Oct 17 2017, 15:40:05) [Clang 9.0.0 (clang-900.0.38)] syspathmain /usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python37.zip /usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python3.7 /usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python3.7/lib-dynload /usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python3.7/site-packages -------------------- 3.7.0a3 (default, Jan 13 2018, 20:06:18) [Clang 9.0.0 (clang-900.0.39.2)] syspathmain /usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python37.zip /usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python3.7 /usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python3.7/lib-dynload /usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python3.7/site-packages -------------------- 3.7.0a4 (default, Jan 10 2018, 19:19:56) [Clang 9.0.0 (clang-900.0.39.2)] syspathmain /usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python37.zip /usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python3.7 /usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python3.7/lib-dynload /usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python3.7/site-packages $ ```
msg309926 - (view)	Author: Ned Batchelder (nedbat) *	Date: 2018-01-14 15:55
(For clarity) The problem is that 3.5.4 adds the current directory to sys.path when running a subdirectory's __main__.py. No other version of Python does this.
msg309944 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2018-01-15 04:03
Unfortunately, it looks like bpo-29319 was backported to the 3.5 branch, but not the follow-up fix from bpo-29723: https://github.com/python/cpython/commits/3.5/Modules/main.c (The metadata on bpo-29319 indicated that the original change was targeted at 3.6+ only, and I didn't notice the message that mentioned the 3.5 branch, so I never even looked at 3.5 when working on bpo-29723 - I just assumed it wasn't affected) Adding unexpected directories to sys.path can definitely be a security problem, so I think the fix should be backported for 3.5.5, but I'm also wondering whether it might be a significant enough regression to warrant an extra "Oops, sorry, we broke it" binary release. (We don't have any good usage numbers on how often folks use directory execution vs other forms of execution, so we don't know how widespread any impact is likely to be)
msg309948 - (view)	Author: Larry Hastings (larry) *	Date: 2018-01-15 05:14
As a reminder: I'm currently scheduled to tag Python 3.5.5rc1 on January 21st, 2018, aka about six days from now.
msg310027 - (view)	Author: Brett Cannon (brett.cannon) *	Date: 2018-01-15 23:48
Nick makes this sound like it really should land in 3.5.5, so marking as a release blocker for now.
msg310039 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2018-01-16 06:32
PR submitted for 3.5. Since the problem was in a full release this time (rather than a pre-release the way it was for 3.6), I've reclassified it as a security bug, since it means some previously safe operations (where no user-writable directory would end up on sys.path even without the "-I" switch) are technically unsafe. There's a fair combination of factors required for it to actually cause a problem though: - it only comes up if you're not using isolated mode (so the "workaround" is "Use isolated mode when running privileged processes", which is something we recommend doing anyway) - it only comes up for directory or zipfile execution, not normal script execution - you have to be executing an admin-controlled directory or zipfile, rather than one the user has write access to (otherwise there's no new opportunity for code injection introduced) - for actual privilege escalation to take place as a result of the code injection, you have to be running the command with elevated privileges That said, I suspect exactly the above may happen when using PEX files (https://github.com/pantsbuild/pex), since I can't find any reference in their code to forcing the use of isolated mode in the underlying interpreter.
msg310040 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2018-01-16 06:41
I've updated the issue title to reduce the need to have read bpo-29723 first to understand it. I've also filed https://github.com/pantsbuild/pex/issues/440 essentially asking the pex folks to check if they're affected.
msg310103 - (view)	Author: Eryk Sun (eryksun) *	Date: 2018-01-16 19:09
On Windows it's the directory that contains the zip file or directory with __main__.py, not the current directory. This seems normal to me. The directory or zip file is effectively executing as a script. I can understand wanting more isolated behavior in this case, i.e. make isolated mode the default when executing a directory or zip file as a script. C:\>py -3.5 C:\Temp\spam __file__: C:\Temp\spam\__main__.py sys.path: C:\Temp\spam C:\Temp C:\Program Files\Python35\python35.zip C:\Program Files\Python35\DLLs C:\Program Files\Python35\lib C:\Program Files\Python35 C:\Program Files\Python35\lib\site-packages C:\>py -3.5 C:\Temp\spam.zip __file__: C:\Temp\spam.zip\__main__.py sys.path: C:\Temp\spam.zip C:\Temp C:\Program Files\Python35\python35.zip C:\Program Files\Python35\DLLs C:\Program Files\Python35\lib C:\Program Files\Python35 C:\Program Files\Python35\lib\site-packages
msg310134 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2018-01-17 03:42
Good catch Eryk, I misdiagnosed what was going on, since the current directory and the parent directory were the same location in Ned's particular example. I double checked, and we resolve symlinks in path entries before performing the incorrect directory traversal ("..." below indicates the usual standard path entries, "/tmp" is the unexpected entry introduced by the bug), so it isn't possible to use a symlink to get a user-controlled directory onto the path: ``` $ ./python /tmp/spam /tmp/spam /tmp ... $ ln -s /tmp/spam /tmp/mydir/malicious $ ./python /tmp/mydir/malicious /tmp/mydir/malicious /tmp ... ``` That means that as far as I can tell, this is just a plain old bug, rather than a potential security concern (since privileged admin-controlled commands tend generally live in admin-controlled directories, as if they didn't, potential attackers would be able to replace them with arbitrary code directly)
msg310270 - (view)	Author: Larry Hastings (larry) *	Date: 2018-01-19 09:21
If you're certain it isn't a security bug, then please downgrade it from release blocker. I might permit a fix for it in 3.5.5 anyway, depending on how small it is, because nobody likes regressions.
msg310319 - (view)	Author: Nick Coghlan (ncoghlan) *	Date: 2018-01-20 02:47
Thanks Larry - I've reduced the priority accordingly. While the NEWS entry sounds a bit complicated, the actual fix is nicely self-contained: it's all within Modules/main.c, and relates to how that manipulates sys.argv[0] during startup. Historically, the code would put a potentially incorrect entry into sys.path[0], then amend it later (and that amendment step could sometimes do the wrong thing), but after this patch, it stores the candidate entry in a local C variable and adds it to the path only after it knows it's correct to do so. The backport also comes with test cases to ensure everything's working as we expect, and this is the code that 3.6 has been using since its release.
msg310495 - (view)	Author: Larry Hastings (larry) *	Date: 2018-01-23 10:48
New changeset 891c91d8d38848377a9f475242507510873eb9c3 by larryhastings (Nick Coghlan) in branch '3.5': [3.5] bpo-32551: Consistently configure sys.path[0] (#5197) https://github.com/python/cpython/commit/891c91d8d38848377a9f475242507510873eb9c3
msg310536 - (view)	Author: Ned Batchelder (nedbat) *	Date: 2018-01-23 23:50
I can confirm that 3.5.5rc1 fixes the problem I had.

History
Date	User	Action	Args
2022-04-11 14:58:56	admin	set	github: 76732
2018-05-15 21:31:38	petr.viktorin	set	status: open -> closed resolution: fixed stage: commit review -> resolved
2018-01-23 23:50:59	nedbat	set	messages: + msg310536
2018-01-23 10:48:14	larry	set	messages: + msg310495
2018-01-20 02:47:43	ncoghlan	set	priority: release blocker -> normal messages: + msg310319
2018-01-19 09:21:03	larry	set	messages: + msg310270
2018-01-17 03:42:23	ncoghlan	set	messages: + msg310134 title: Zipfile & directory execution in 3.5.4 adds the current directory to sys.path -> Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path
2018-01-16 19:09:54	eryksun	set	nosy: + eryksun messages: + msg310103
2018-01-16 06:41:08	ncoghlan	set	title: 3.5.4 has a regression that was fixed in 3.6.1rc1 -> Zipfile & directory execution in 3.5.4 adds the current directory to sys.path messages: + msg310040 stage: commit review
2018-01-16 06:32:39	ncoghlan	set	nosy: + christian.heimes, petr.viktorin messages: + msg310039 keywords: - patch stage: patch review -> (no value)
2018-01-16 06:10:19	ncoghlan	set	keywords: + patch stage: patch review pull_requests: + pull_request5050
2018-01-15 23:48:03	brett.cannon	set	priority: normal -> release blocker nosy: + brett.cannon messages: + msg310027
2018-01-15 05:14:48	larry	set	messages: + msg309948
2018-01-15 04:03:03	ncoghlan	set	nosy: + steve.dower messages: + msg309944
2018-01-14 15:58:47	ned.deily	set	nosy: + ncoghlan, larry dependencies: + 3.6.1rc1 adds the current directory to sys.path when running a subdirectory's __main__.py; previous versions did not
2018-01-14 15:55:13	nedbat	set	messages: + msg309926
2018-01-14 15:53:57	nedbat	create