This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: file in current directory caused unexpected code execution.
Type: security Stage: resolved
Components: Versions: Python 3.6, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: Readline module loading in interactive mode
View: 12238
Assigned To: Nosy List: Hiroki Kiyohara, akira, r.david.murray, xiang.zhang
Priority: normal Keywords:

Created on 2015-10-01 09:26 by Hiroki Kiyohara, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (6)
msg252012 - (view) Author: Hiroki Kiyohara (Hiroki Kiyohara) Date: 2015-10-01 09:26
Running `python` interpreter will import `` file in current directory.
It causes unexpected code execution.

This problem is reported by 'Japan Vulnerability Notes' as a bug on
Windows version Python

It says that when we run Windows version python will import `readline.pyd` file in current directory. And it may run unexpected codes with permission assigned to python.exe.

The line causing this problem may be...

Should it be considered as vulnerability of python (or Windows version python)?
msg252015 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2015-10-01 10:19
I can reproduce this action on Ubuntu.

The forged in python's execution directory can steal the
permission of python and do something dangerous.
msg252027 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-10-01 13:55
This is not a bug, this is the way python works.  When running in interactive mode (only) the current directory is first on the path.

Now, should this behavior be changed?  I think we've discussed this before and decided not to change it (for backward compatibility reasons), but I think there was dissent and that increasing emphasis on security since that discussion might argue for a different outcome.  It's a python-dev mailing list level issue, in any case.
msg252028 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-10-01 14:03
Well, so much for my memory :(.

The actual discussion was in issue 12238, where *my* conclusion was that this should be fixed (readline should be special cased), but the issue is still open.

Patches welcome :)
msg252077 - (view) Author: Hiroki Kiyohara (Hiroki Kiyohara) Date: 2015-10-02 01:04
I see. Thank you very much, guys.
msg252180 - (view) Author: Akira Li (akira) * Date: 2015-10-02 23:25
python3 -I

could be used as a workaround.
Date User Action Args
2022-04-11 14:58:22adminsetgithub: 69475
2015-10-02 23:25:41akirasetnosy: + akira
messages: + msg252180
2015-10-02 01:04:04Hiroki Kiyoharasetmessages: + msg252077
2015-10-01 14:03:10r.david.murraysetstatus: open -> closed
superseder: Readline module loading in interactive mode
messages: + msg252028

resolution: duplicate
stage: resolved
2015-10-01 13:55:34r.david.murraysetnosy: + r.david.murray
messages: + msg252027
2015-10-01 10:19:20xiang.zhangsetnosy: + xiang.zhang
messages: + msg252015
2015-10-01 09:26:41Hiroki Kiyoharacreate