Message313966
FWIW, this behavior is documented:
https://docs.python.org/3/using/cmdline.html#cmdoption-m
"As with the -c option, the current directory will be added to the start of sys.path."
With the -c option, at least you could easily remove the sys.path element yourself:
python -c 'import sys; sys.path.remove(""); ...'
(This works, because sys is always a builtin module, so it won't be imported from cwd.)
I don't see any obvious way to make "python -m foo" secure in untrusted cwd, though.
The best I could come up with is:
python -c 'import sys; sys.path.remove(""); import runpy; runpy._run_module_as_main("foo")'
which is quite insane. |
|
Date |
User |
Action |
Args |
2018-03-16 18:50:11 | jwilk | set | recipients:
+ jwilk, ztane |
2018-03-16 18:50:11 | jwilk | set | messageid: <1521226211.18.0.467229070634.issue33053@psf.upfronthosting.co.za> |
2018-03-16 18:50:11 | jwilk | link | issue33053 messages |
2018-03-16 18:50:11 | jwilk | create | |
|