New submission from Thomas Kluyver:
There's a 'short circuit' in shutil.which(), described as 'If we're given a
full path which matches the mode and it exists, we're done here.'
It also matches if an executable file of the same name is present in the
working directory, although on most Unix-y systems you need ./ to execute such
files in a shell (i.e. ./foo, not just foo).
This could fool code calling which() into thinking that a program is installed,
when it is not.
If we consider this a bug, one simple fix would be to only allow the short
circuit with an absolute path, so the line
if _access_check(cmd, mode):
would become
if os.path.isabs(cmd) and _access_check(cmd, mode):
----------
components: Library (Lib)
messages: 179897
nosy: takluyver
priority: normal
severity: normal
status: open
title: shutil.which() shouldn't look in working directory on unix-y systems
type: behavior
versions: Python 3.3
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue16957>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
