Message 313641 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ztane
Recipients	ztane
Date	2018-03-12.11:57:14
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1520855835.03.0.467229070634.issue33053@psf.upfronthosting.co.za>
In-reply-to

Content
I think this is a really stupid security bug. Running a module with `-mmodule` seems to add '' as a path in sys.path, and in front. This is doubly wrong, because '' will stand for whatever the current working directory might happen to be at the time of the subsequent import statements, i.e. it is far worse than https://bugs.python.org/issue16202 I.e. whereas python3 /usr/lib/module.py wouldn't do that, python3 -mmodule would make it so that following a chdirs in code, imports would be executed from arbitrary locations. Verified on MacOS X, Ubuntu 17.10, using variety of Python versions up to 3.7.

I think this is a really stupid security bug. Running a module with `-mmodule` seems to add '' as a path in sys.path, and in front. This is doubly wrong, because '' will stand for whatever the current working directory might happen to be at the time of the *subsequent import statements*, i.e. it is far worse than https://bugs.python.org/issue16202

I.e. whereas python3 /usr/lib/module.py wouldn't do that, python3 -mmodule would make it so that following a chdirs in code, imports would be executed from arbitrary locations. Verified on MacOS X, Ubuntu 17.10, using variety of Python versions up to 3.7.

History
Date	User	Action	Args
2018-03-12 11:57:15	ztane	set	recipients: + ztane
2018-03-12 11:57:15	ztane	set	messageid: <1520855835.03.0.467229070634.issue33053@psf.upfronthosting.co.za>
2018-03-12 11:57:14	ztane	link	issue33053 messages
2018-03-12 11:57:14	ztane	create