Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path #76732

Closed
nedbat opened this issue Jan 14, 2018 · 13 comments
Closed

Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path #76732

nedbat opened this issue Jan 14, 2018 · 13 comments
Labels
type-bug An unexpected behavior, bug, or error

Comments

@nedbat
Copy link
Member

nedbat commented Jan 14, 2018

BPO 32551
Nosy @brettcannon, @ncoghlan, @larryhastings, @tiran, @nedbat, @encukou, @eryksun, @zooba
PRs
  • [3.5] bpo-32551: Consistently configure sys.path[0] (GH-575) #5197
    		•
    Dependencies
  • bpo-29723: 3.6.1rc1 adds the current directory to sys.path when running a subdirectory's main.py; previous versions did not
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2018-05-15.21:31:38.934>
created_at = <Date 2018-01-14.15:53:57.162>
labels = ['type-bug']
title = 'Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path'
updated_at = <Date 2018-05-15.21:31:38.933>
user = 'https://github.com/nedbat'

    bugs.python.org fields:

    activity = <Date 2018-05-15.21:31:38.933>
actor = 'petr.viktorin'
assignee = 'none'
closed = True
closed_date = <Date 2018-05-15.21:31:38.934>
closer = 'petr.viktorin'
components = []
creation = <Date 2018-01-14.15:53:57.162>
creator = 'nedbat'
dependencies = ['29723']
files = []
hgrepos = []
issue_num = 32551
keywords = ['3.5regression']
message_count = 13.0
messages = ['309925', '309926', '309944', '309948', '310027', '310039', '310040', '310103', '310134', '310270', '310319', '310495', '310536']
nosy_count = 8.0
nosy_names = ['brett.cannon', 'ncoghlan', 'larry', 'christian.heimes', 'nedbat', 'petr.viktorin', 'eryksun', 'steve.dower']
pr_nums = ['5197']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue32551'
versions = ['Python 3.5']
    @nedbat
    Copy link
    Member Author

    nedbat commented Jan 14, 2018

    The issue that I reported in https://bugs.python.org/issue29723 is now affecting 3.5.4:

    $ pwd
/Users/ned/foo
$ tree syspathmain
syspathmain
└── __main__.py

0 directories, 1 file
$ cat syspathmain/__main__.py
import sys
print("-" * 20)
print(sys.version)
print("\n".join(sys.path))
$ for pyth in /usr/local/pythonz/pythons/CPython-*/bin/python; do $pyth syspathmain; done
/usr/local/pythonz/pythons/CPython-2.4.6/bin/python: 'syspathmain' is a directory, cannot continue
--------------------
2.6.9 (unknown, Jun 18 2016, 17:45:44)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python26.zip
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/plat-darwin
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/plat-mac
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/lib-tk
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/lib-old
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/lib-dynload
/usr/local/pythonz/pythons/CPython-2.6.9/lib/python2.6/site-packages
--------------------
2.7.10 (default, Jun 18 2016, 18:30:12)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python27.zip
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/plat-darwin
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/plat-mac
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/lib-tk
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/lib-old
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/lib-dynload
/usr/local/pythonz/pythons/CPython-2.7.10/lib/python2.7/site-packages
--------------------
2.7.11 (default, Jun 18 2016, 17:51:44)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python27.zip
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/plat-darwin
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/plat-mac
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/lib-tk
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/lib-old
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/lib-dynload
/usr/local/pythonz/pythons/CPython-2.7.11/lib/python2.7/site-packages
--------------------
2.7.12 (default, Nov 20 2016, 16:53:49)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python27.zip
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/plat-darwin
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/plat-mac
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/lib-tk
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/lib-old
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/lib-dynload
/usr/local/pythonz/pythons/CPython-2.7.12/lib/python2.7/site-packages
--------------------
2.7.13 (default, Dec 17 2016, 16:51:07)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python27.zip
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/plat-darwin
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/plat-mac
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/lib-tk
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/lib-old
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/lib-dynload
/usr/local/pythonz/pythons/CPython-2.7.13/lib/python2.7/site-packages
--------------------
2.7.13rc1 (default, Dec  4 2016, 15:34:21)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python27.zip
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/plat-darwin
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/plat-mac
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/lib-tk
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/lib-old
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/lib-dynload
/usr/local/pythonz/pythons/CPython-2.7.13rc1/lib/python2.7/site-packages
--------------------
2.7.14 (default, Oct  4 2017, 09:45:53)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python27.zip
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/plat-darwin
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/plat-mac
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/lib-tk
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/lib-old
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/lib-dynload
/usr/local/pythonz/pythons/CPython-2.7.14/lib/python2.7/site-packages
--------------------
2.7.14rc1 (default, Aug 27 2017, 08:01:38)
[GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)]
syspathmain
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python27.zip
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/plat-darwin
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/plat-mac
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/plat-mac/lib-scriptpackages
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/lib-tk
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/lib-old
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/lib-dynload
/usr/local/pythonz/pythons/CPython-2.7.14rc1/lib/python2.7/site-packages
--------------------
3.1.5 (default, Jun 18 2016, 17:54:07)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.1.5/lib/python31.zip
/usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1
/usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1/plat-darwin
/usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1/lib-dynload
/usr/local/pythonz/pythons/CPython-3.1.5/lib/python3.1/site-packages
--------------------
3.2.6 (default, Jun 18 2016, 17:56:34)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.2.6/lib/python32.zip
/usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2
/usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2/plat-darwin
/usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2/lib-dynload
/usr/local/pythonz/pythons/CPython-3.2.6/lib/python3.2/site-packages
--------------------
3.3.6 (default, Jun 18 2016, 17:58:30)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.3.6/lib/python33.zip
/usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3
/usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3/plat-darwin
/usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3/lib-dynload
/usr/local/pythonz/pythons/CPython-3.3.6/lib/python3.3/site-packages
--------------------
3.4.3 (default, Jun 18 2016, 22:29:43)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.4.3/lib/python34.zip
/usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4
/usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4/plat-darwin
/usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4/lib-dynload
/usr/local/pythonz/pythons/CPython-3.4.3/lib/python3.4/site-packages
--------------------
3.4.4 (default, Jun 18 2016, 18:00:41)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.4.4/lib/python34.zip
/usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4
/usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4/plat-darwin
/usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4/lib-dynload
/usr/local/pythonz/pythons/CPython-3.4.4/lib/python3.4/site-packages
--------------------
3.4.5 (default, Jun 27 2016, 09:25:27)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.4.5/lib/python34.zip
/usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4
/usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4/plat-darwin
/usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4/lib-dynload
/usr/local/pythonz/pythons/CPython-3.4.5/lib/python3.4/site-packages
--------------------
3.4.6 (default, Jan 17 2017, 05:32:05)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.4.6/lib/python34.zip
/usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4
/usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4/plat-darwin
/usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4/lib-dynload
/usr/local/pythonz/pythons/CPython-3.4.6/lib/python3.4/site-packages
--------------------
3.4.6rc1 (default, Jan  3 2017, 06:13:09)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python34.zip
/usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4
/usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4/plat-darwin
/usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4/lib-dynload
/usr/local/pythonz/pythons/CPython-3.4.6rc1/lib/python3.4/site-packages
--------------------
3.5.1 (default, Jun 18 2016, 17:20:31)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.5.1/lib/python35.zip
/usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5
/usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5/plat-darwin
/usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5/lib-dynload
/usr/local/pythonz/pythons/CPython-3.5.1/lib/python3.5/site-packages
--------------------
3.5.2 (default, Jun 27 2016, 13:24:47)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.5.2/lib/python35.zip
/usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5
/usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5/plat-darwin
/usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5/lib-dynload
/usr/local/pythonz/pythons/CPython-3.5.2/lib/python3.5/site-packages
--------------------
3.5.3 (default, Jan 17 2017, 05:34:29)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.5.3/lib/python35.zip
/usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5
/usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5/plat-darwin
/usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5/lib-dynload
/usr/local/pythonz/pythons/CPython-3.5.3/lib/python3.5/site-packages
--------------------
3.5.3rc1 (default, Jan  3 2017, 06:16:13)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python35.zip
/usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5
/usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5/plat-darwin
/usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5/lib-dynload
/usr/local/pythonz/pythons/CPython-3.5.3rc1/lib/python3.5/site-packages
--------------------
3.5.4 (default, Jan  7 2018, 17:59:30)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]
syspathmain
/Users/ned/foo
/usr/local/pythonz/pythons/CPython-3.5.4/lib/python35.zip
/usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5
/usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5/plat-darwin
/usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5/lib-dynload
/usr/local/pythonz/pythons/CPython-3.5.4/lib/python3.5/site-packages
--------------------
3.6.0 (default, Dec 23 2016, 07:11:25)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0/lib/python3.6/site-packages
--------------------
3.6.0a1 (default, Jun 18 2016, 17:17:21)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6/plat-darwin
/usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0a1/lib/python3.6/site-packages
--------------------
3.6.0a2 (default, Jun 19 2016, 07:45:01)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6/plat-darwin
/usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0a2/lib/python3.6/site-packages
--------------------
3.6.0a3 (default, Jul 12 2016, 08:17:28)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6/plat-darwin
/usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0a3/lib/python3.6/site-packages
--------------------
3.6.0b1 (default, Sep 12 2016, 20:38:35)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0b1/lib/python3.6/site-packages
--------------------
3.6.0b2 (default, Oct 10 2016, 21:30:05)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0b2/lib/python3.6/site-packages
--------------------
3.6.0b3 (default, Nov  1 2016, 05:07:34)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0b3/lib/python3.6/site-packages
--------------------
3.6.0b4 (default, Nov 22 2016, 06:27:47)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0b4/lib/python3.6/site-packages
--------------------
3.6.0rc1 (default, Dec  7 2016, 06:45:00)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0rc1/lib/python3.6/site-packages
--------------------
3.6.0rc2 (default, Dec 17 2016, 07:50:27)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.0rc2/lib/python3.6/site-packages
--------------------
3.6.1 (default, Mar 22 2017, 05:30:11)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.1/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.1/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.1/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.1/lib/python3.6/site-packages
--------------------
3.6.1rc1 (default, Mar  5 2017, 08:02:03)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)]
syspathmain
/Users/ned/foo
/usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.1rc1/lib/python3.6/site-packages
--------------------
3.6.2 (default, Jul 17 2017, 07:05:09)
[GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.2/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.2/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.2/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.2/lib/python3.6/site-packages
--------------------
3.6.2rc1 (default, Jun 18 2017, 16:38:24)
[GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.2rc1/lib/python3.6/site-packages
--------------------
3.6.2rc2 (default, Jul  8 2017, 07:07:22)
[GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.2rc2/lib/python3.6/site-packages
--------------------
3.6.3 (default, Oct  4 2017, 06:03:25)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.3/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.3/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.3/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.3/lib/python3.6/site-packages
--------------------
3.6.4 (default, Dec 19 2017, 08:11:42)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.39.2)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.4/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.4/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.4/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.4/lib/python3.6/site-packages
--------------------
3.6.4rc1 (default, Dec  6 2017, 06:09:07)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.38)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python36.zip
/usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python3.6
/usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python3.6/lib-dynload
/usr/local/pythonz/pythons/CPython-3.6.4rc1/lib/python3.6/site-packages
--------------------
3.7.0a1 (default, Sep 20 2017, 06:16:54)
[GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.42)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python37.zip
/usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python3.7
/usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python3.7/lib-dynload
/usr/local/pythonz/pythons/CPython-3.7.0a1/lib/python3.7/site-packages
--------------------
3.7.0a2 (default, Oct 17 2017, 15:40:05)
[Clang 9.0.0 (clang-900.0.38)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python37.zip
/usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python3.7
/usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python3.7/lib-dynload
/usr/local/pythonz/pythons/CPython-3.7.0a2/lib/python3.7/site-packages
--------------------
3.7.0a3 (default, Jan 13 2018, 20:06:18)
[Clang 9.0.0 (clang-900.0.39.2)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python37.zip
/usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python3.7
/usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python3.7/lib-dynload
/usr/local/pythonz/pythons/CPython-3.7.0a3/lib/python3.7/site-packages
--------------------
3.7.0a4 (default, Jan 10 2018, 19:19:56)
[Clang 9.0.0 (clang-900.0.39.2)]
syspathmain
/usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python37.zip
/usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python3.7
/usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python3.7/lib-dynload
/usr/local/pythonz/pythons/CPython-3.7.0a4/lib/python3.7/site-packages
$

    @nedbat nedbat added the type-bug An unexpected behavior, bug, or error label Jan 14, 2018
    @nedbat
    Copy link
    Member Author

    nedbat commented Jan 14, 2018

    (For clarity)

    The problem is that 3.5.4 adds the current directory to sys.path when running a subdirectory's __main__.py. No other version of Python does this.

    @ncoghlan
    Copy link
    Contributor

    Unfortunately, it looks like bpo-29319 was backported to the 3.5 branch, but not the follow-up fix from bpo-29723: https://github.com/python/cpython/commits/3.5/Modules/main.c

    (The metadata on bpo-29319 indicated that the original change was targeted at 3.6+ only, and I didn't notice the message that mentioned the 3.5 branch, so I never even looked at 3.5 when working on bpo-29723 - I just assumed it wasn't affected)

    Adding unexpected directories to sys.path can definitely be a security problem, so I think the fix should be backported for 3.5.5, but I'm also wondering whether it might be a significant enough regression to warrant an extra "Oops, sorry, we broke it" binary release. (We don't have any good usage numbers on how often folks use directory execution vs other forms of execution, so we don't know how widespread any impact is likely to be)

    @larryhastings
    Copy link
    Contributor

    As a reminder: I'm currently scheduled to tag Python 3.5.5rc1 on January 21st, 2018, aka about six days from now.

    @brettcannon
    Copy link
    Member

    Nick makes this sound like it really should land in 3.5.5, so marking as a release blocker for now.

    @ncoghlan
    Copy link
    Contributor

    PR submitted for 3.5. Since the problem was in a full release this time (rather than a pre-release the way it was for 3.6), I've reclassified it as a security bug, since it means some previously safe operations (where no user-writable directory would end up on sys.path even without the "-I" switch) are technically unsafe.

    There's a fair combination of factors required for it to actually cause a problem though:

    • it only comes up if you're *not* using isolated mode (so the "workaround" is "Use isolated mode when running privileged processes", which is something we recommend doing anyway)
    • it only comes up for directory or zipfile execution, *not* normal script execution
    • you have to be executing an admin-controlled directory or zipfile, rather than one the user has write access to (otherwise there's no new opportunity for code injection introduced)
    • for actual privilege escalation to take place as a result of the code injection, you have to be running the command with elevated privileges

    That said, I suspect exactly the above may happen when using PEX files (https://github.com/pantsbuild/pex), since I can't find any reference in their code to forcing the use of isolated mode in the underlying interpreter.

    @ncoghlan
    Copy link
    Contributor

    I've updated the issue title to reduce the need to have read bpo-29723 first to understand it.

    I've also filed pex-tool/pex#440 essentially asking the pex folks to check if they're affected.

    @ncoghlan ncoghlan changed the title 3.5.4 has a regression that was fixed in 3.6.1rc1 Zipfile & directory execution in 3.5.4 adds the current directory to sys.path Jan 16, 2018
    @eryksun
    Copy link
    Contributor

    eryksun commented Jan 16, 2018

    On Windows it's the directory that contains the zip file or directory with __main__.py, not the current directory. This seems normal to me. The directory or zip file is effectively executing as a script. I can understand wanting more isolated behavior in this case, i.e. make isolated mode the default when executing a directory or zip file as a script.

    C:\>py -3.5 C:\Temp\spam
__file__:
     C:\Temp\spam\__main__.py
sys.path:
    C:\Temp\spam
    C:\Temp
    C:\Program Files\Python35\python35.zip
    C:\Program Files\Python35\DLLs
    C:\Program Files\Python35\lib
    C:\Program Files\Python35
    C:\Program Files\Python35\lib\site-packages

C:\>py -3.5 C:\Temp\spam.zip
__file__:
     C:\Temp\spam.zip\__main__.py
sys.path:
    C:\Temp\spam.zip
    C:\Temp
    C:\Program Files\Python35\python35.zip
    C:\Program Files\Python35\DLLs
    C:\Program Files\Python35\lib
    C:\Program Files\Python35
    C:\Program Files\Python35\lib\site-packages

    @ncoghlan
    Copy link
    Contributor

    Good catch Eryk, I misdiagnosed what was going on, since the current directory and the parent directory were the same location in Ned's particular example.

    I double checked, and we resolve symlinks in path entries *before* performing the incorrect directory traversal ("..." below indicates the usual standard path entries, "/tmp" is the unexpected entry introduced by the bug), so it isn't possible to use a symlink to get a user-controlled directory onto the path:

    $ ./python /tmp/spam
/tmp/spam
/tmp
...
$ ln -s /tmp/spam /tmp/mydir/malicious
$ ./python /tmp/mydir/malicious
/tmp/mydir/malicious
/tmp
...

    That means that as far as I can tell, this is just a plain old bug, rather than a potential security concern (since privileged admin-controlled commands tend generally live in admin-controlled directories, as if they didn't, potential attackers would be able to replace them with arbitrary code directly)

    @ncoghlan ncoghlan changed the title Zipfile & directory execution in 3.5.4 adds the current directory to sys.path Zipfile & directory execution in 3.5.4 also adds the parent directory to sys.path Jan 17, 2018
    @larryhastings
    Copy link
    Contributor

    If you're certain it isn't a security bug, then please downgrade it from release blocker.

    I might permit a fix for it in 3.5.5 anyway, depending on how small it is, because nobody likes regressions.

    @ncoghlan
    Copy link
    Contributor

    Thanks Larry - I've reduced the priority accordingly.

    While the NEWS entry sounds a bit complicated, the actual fix is nicely self-contained: it's all within Modules/main.c, and relates to how that manipulates sys.argv[0] during startup.

    Historically, the code would put a potentially incorrect entry into sys.path[0], then amend it later (and that amendment step could sometimes do the wrong thing), but after this patch, it stores the candidate entry in a local C variable and adds it to the path only after it knows it's correct to do so.

    The backport also comes with test cases to ensure everything's working as we expect, and this is the code that 3.6 has been using since its release.

    @larryhastings
    Copy link
    Contributor

    New changeset 891c91d by larryhastings (Nick Coghlan) in branch '3.5':
    [3.5] bpo-32551: Consistently configure sys.path[0] (bpo-5197)
    891c91d

    @nedbat
    Copy link
    Member Author

    nedbat commented Jan 23, 2018

    I can confirm that 3.5.5rc1 fixes the problem I had.

    @encukou encukou closed this as completed May 15, 2018
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    6 participants
    @nedbat @brettcannon @encukou @eryksun @ncoghlan @larryhastings