Message313641
I think this is a really stupid security bug. Running a module with `-mmodule` seems to add '' as a path in sys.path, and in front. This is doubly wrong, because '' will stand for whatever the current working directory might happen to be at the time of the *subsequent import statements*, i.e. it is far worse than https://bugs.python.org/issue16202
I.e. whereas python3 /usr/lib/module.py wouldn't do that, python3 -mmodule would make it so that following a chdirs in code, imports would be executed from arbitrary locations. Verified on MacOS X, Ubuntu 17.10, using variety of Python versions up to 3.7. |
|
Date |
User |
Action |
Args |
2018-03-12 11:57:15 | ztane | set | recipients:
+ ztane |
2018-03-12 11:57:15 | ztane | set | messageid: <1520855835.03.0.467229070634.issue33053@psf.upfronthosting.co.za> |
2018-03-12 11:57:14 | ztane | link | issue33053 messages |
2018-03-12 11:57:14 | ztane | create | |
|