A bug has been filed against Solaris' internal version of Python, which is
largely the same (including in this case) as the base version we get from
python.org.  The bug is that os.defpath starts with ':' and thus any Python
script run with a null PATH environment variable will use the current
working directory as its first entry.  This is generally considered to
be bad practice, and especially dangerous for anyone running with root
privileges on a Unix box.  So we intend to change Solaris' version of
Python to elide this, i.e., to apply the attached patch to our 2.7 version
and comparable patches to our 3.4 and 3.5 versions

As a precaution, I queried the security list before filing this bug, asking:

* Is this intentional?  (Seems like it but I couldn't find any documentation
  to confirm.)
* If so, why?  (Feel free to point me to any docs I missed.)
* If it is intentional, and we were to change our version anyway, do you know
  of any gotchas we should look out for?  There were no regressions when I
  ran the Python test suite.

and got the following reply:

---
From: Guido van Rossum <guido@python.org>
Date: Sat, 20 Feb 2016 09:29:11 -0800
Subject: Re: [PSRT] os.defpath too permissive

Wow. That looks like something really old. I think you can just file
an issue with a patch for this at bugs.python.org. I agree that it
should be fixed. I don't think there are many users that would be
vulnerable, nor do I think that much code would break; the only use in
the stdlib has os.environ.get("PATH", os.defpath) so in all practical
cases it would get the user's $PATH variable (which is presumably
safe) anyway.
---

So I am now filing this bug as suggested.

Digging through the history, it has been this way since at least revision d5b67d2ec7ee (1994).

Removing the colon is definitely a good idea. Maybe this might be a more proper way to get the default PATH:

>>> os.confstr("CS_PATH")
'/bin:/usr/bin'

Linux man page for execvp(3)
<http://man7.org/linux/man-pages/man3/execvp.3.html> says:

> The default search path (used when the environment does not contain
> the variable PATH) shows some variation across systems.  It generally
> includes /bin and /usr/bin (in that order) and may also include the
> current working directory.  On some other systems, the current
> working is included after /bin and /usr/bin, as an anti-Trojan-horse
> measure.  The glibc implementation long followed the traditional
> default where the current working directory is included at the start
> of the search path.  However, some code refactoring during the
> development of glibc 2.24 caused the current working directory to be
> dropped altogether from the default search path.  This accidental
> behavior change is considered mildly beneficial, and won't be
> reverted.

So while having cwd is os.defpath has some historical justification,
now that glibc dropped it from its default PATH, it would be prudent for
Python to follow the suit.