Message314020
This isn't considered a security issue, as running "python3" interactively behaves in exactly the same way (i.e. tracking changes to the current working directory for the duration of the session), and running "python3 script.py" adds the full path to the current directory.
In all cases, the expectation is that end users will at least enable isolated mode if they don't want to risk importing arbitrary code from user controlled directories.
$ echo "print('Hello')" > foo.py
$ python3 -m foo
Hello
$ python3 -Im foo
/usr/bin/python3: No module named foo
However, I'm flagging this as an enhancement request for 3.8+ (with a reworded issue title), as the non-isolated `-m` switch algorithm for sys.path[0] calculation could be made more robust as follows:
1. Start out with "os.getcwd()" rather than the empty string
2. Once `__main__.__file__` has been calculated, delete sys.path[0] if __main__ was found somewhere else
A potentially related enhancement would be to modify directory & zipfile execution to only look for `__main__.py` in `sys.path[0]` rather than searching the whole of `sys.path` (which is what currently happens). |
|
Date |
User |
Action |
Args |
2018-03-18 05:31:21 | ncoghlan | set | recipients:
+ ncoghlan, jwilk, ztane |
2018-03-18 05:31:20 | ncoghlan | set | messageid: <1521351080.92.0.467229070634.issue33053@psf.upfronthosting.co.za> |
2018-03-18 05:31:20 | ncoghlan | link | issue33053 messages |
2018-03-18 05:31:19 | ncoghlan | create | |
|