This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients jwilk, ncoghlan, ztane
Date 2018-03-18.05:31:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1521351080.92.0.467229070634.issue33053@psf.upfronthosting.co.za>
In-reply-to
Content
This isn't considered a security issue, as running "python3" interactively behaves in exactly the same way (i.e. tracking changes to the current working directory for the duration of the session), and running "python3 script.py" adds the full path to the current directory.

In all cases, the expectation is that end users will at least enable isolated mode if they don't want to risk importing arbitrary code from user controlled directories.

    $ echo "print('Hello')" > foo.py
    $ python3 -m foo
    Hello
    $ python3 -Im foo
    /usr/bin/python3: No module named foo

However, I'm flagging this as an enhancement request for 3.8+ (with a reworded issue title), as the non-isolated `-m` switch algorithm for sys.path[0] calculation could be made more robust as follows:

1. Start out with "os.getcwd()" rather than the empty string
2. Once `__main__.__file__` has been calculated, delete sys.path[0] if __main__ was found somewhere else

A potentially related enhancement would be to modify directory & zipfile execution to only look for `__main__.py` in `sys.path[0]` rather than searching the whole of `sys.path` (which is what currently happens).
History
Date User Action Args
2018-03-18 05:31:21ncoghlansetrecipients: + ncoghlan, jwilk, ztane
2018-03-18 05:31:20ncoghlansetmessageid: <1521351080.92.0.467229070634.issue33053@psf.upfronthosting.co.za>
2018-03-18 05:31:20ncoghlanlinkissue33053 messages
2018-03-18 05:31:19ncoghlancreate