Author ztane
Recipients ztane
Date 2018-03-12.11:57:14
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1520855835.03.0.467229070634.issue33053@psf.upfronthosting.co.za>
In-reply-to
Content
I think this is a really stupid security bug. Running a module with `-mmodule` seems to add '' as a path in sys.path, and in front. This is doubly wrong, because '' will stand for whatever the current working directory might happen to be at the time of the *subsequent import statements*, i.e. it is far worse than https://bugs.python.org/issue16202

I.e. whereas python3 /usr/lib/module.py wouldn't do that, python3 -mmodule would make it so that following a chdirs in code, imports would be executed from arbitrary locations. Verified on MacOS X, Ubuntu 17.10, using variety of Python versions up to 3.7.
History
Date User Action Args
2018-03-12 11:57:15ztanesetrecipients: + ztane
2018-03-12 11:57:15ztanesetmessageid: <1520855835.03.0.467229070634.issue33053@psf.upfronthosting.co.za>
2018-03-12 11:57:14ztanelinkissue33053 messages
2018-03-12 11:57:14ztanecreate