This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Gabriel Corona
Recipients Gabriel Corona
Date 2019-02-11.21:46:00
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The CLI tools shipped in Debian python-rdflib-tools package can load modules from the current directory [1]:

    $ echo 'print("Something")' >
    $ rdf2dot
    INFO:rdflib:RDFLib Version: 4.2.2
    Reading from stdin as None...

This could be a security issue because an attacker could possibly exploit this behavior to execute arbitrary code.

This happens because these CLI tools are implemented as:

    exec /usr/bin/python -m $*

"python -m $module", "python -c $code" and "$command | python" prepend the current working directory in the Python path. The Python documentation [2] should probably warn about this. In Python 3, "-I" could be suggested to prevent the script/current directory to be added to the Python path. However, this flag has other effects.

The Python documentation suggests "python -m" commands at some places [3-5]: some form of warning at those places might be nice as well.

See the related behavior of Perl. Perl used to include "." in @INC but this was removed for security reasons [6].

Date User Action Args
2019-02-11 21:46:00Gabriel Coronasetrecipients: + Gabriel Corona
2019-02-11 21:46:00Gabriel Coronasetmessageid: <>
2019-02-11 21:46:00Gabriel Coronalinkissue35971 messages
2019-02-11 21:46:00Gabriel Coronacreate