This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients brett.cannon, ced, eric.snow, eryksun, ncoghlan, paul.moore, r.david.murray, steve.dower, tim.golden, zach.ware
Date 2017-08-17.08:29:48
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1502958589.12.0.728021096433.issue31210@psf.upfronthosting.co.za>
In-reply-to
Content 
If you have access to modify PYTHONPATH at all, you can already shadow almost all standard library modules:

$ PYTHONPATH=/MY_CHOSEN_DIRECTORY python3 -m site
sys.path = [
    '/home/ncoghlan',
    '/MY_CHOSEN_DIRECTORY',
    '/usr/lib64/python36.zip',
    '/usr/lib64/python3.6',
    '/usr/lib64/python3.6/lib-dynload',
    '/home/ncoghlan/.local/lib/python3.6/site-packages',
    '/usr/lib64/python3.6/site-packages',
    '/usr/lib/python3.6/site-packages',
]

The only ones you can't shadow that way are builtin and frozen modules, and any modules that get imported even before PYTHONPATH is processed. So no, this doesn't open up any new attack vectors that weren't already present by design.

As far as whether or not it's worth fixing goes, yes, I think so - one of my original motivations for writing PEP 432 was to allow the use of CPython data structures when calculating the initial value of sys.path, and this is a nice concrete example of a bug arising from the current implementation.
History
Date User Action Args
2017-08-17 08:29:49ncoghlansetrecipients: + ncoghlan, brett.cannon, paul.moore, tim.golden, ced, r.david.murray, eric.snow, zach.ware, eryksun, steve.dower
2017-08-17 08:29:49ncoghlansetmessageid: <1502958589.12.0.728021096433.issue31210@psf.upfronthosting.co.za>
2017-08-17 08:29:49ncoghlanlinkissue31210 messages
2017-08-17 08:29:48ncoghlancreate