This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients larry, ncoghlan, nedbat, steve.dower
Date 2018-01-15.04:03:02
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1515988983.07.0.467229070634.issue32551@psf.upfronthosting.co.za>
In-reply-to
Content 
Unfortunately, it looks like bpo-29319 was backported to the 3.5 branch, but not the follow-up fix from bpo-29723: https://github.com/python/cpython/commits/3.5/Modules/main.c

(The metadata on bpo-29319 indicated that the original change was targeted at 3.6+ only, and I didn't notice the message that mentioned the 3.5 branch, so I never even looked at 3.5 when working on bpo-29723 - I just assumed it wasn't affected)

Adding unexpected directories to sys.path can definitely be a security problem, so I think the fix should be backported for 3.5.5, but I'm also wondering whether it might be a significant enough regression to warrant an extra "Oops, sorry, we broke it" binary release. (We don't have any good usage numbers on how often folks use directory execution vs other forms of execution, so we don't know how widespread any impact is likely to be)
History
Date User Action Args
2018-01-15 04:03:03ncoghlansetrecipients: + ncoghlan, larry, nedbat, steve.dower
2018-01-15 04:03:03ncoghlansetmessageid: <1515988983.07.0.467229070634.issue32551@psf.upfronthosting.co.za>
2018-01-15 04:03:03ncoghlanlinkissue32551 messages
2018-01-15 04:03:02ncoghlancreate