New submission from STINNER Victor <victor.stin...@gmail.com>: Christian Heimes, author of the -I option (isolated mode), asked me to open an issue to check if the following behaviour is correct (safe in term of security).
"python3 directory" inserts "directory" at sys.path[0], even in isolated mode. Example: --- vstinner@apu$ mkdir directory vstinner@apu$ echo "import pprint, sys; pprint.pprint(sys.path)" > directory/__main__.py vstinner@apu$ python3 directory ['directory', '/usr/lib64/python3.6', ...] # Same behaviour with -I vstinner@apu$ python3 -I directory ['directory', '/usr/lib64/python3.6', ...] --- Same behaviour for a ZIP file: --- vstinner@apu$ cd directory/ vstinner@apu$ zip ../testzip.zp __main__.py adding: __main__.py (deflated 20%) vstinner@apu$ cd .. vstinner@apu$ python3 testzip.zip python3: can't open file 'testzip.zip': [Errno 2] No such file or directory vstinner@apu$ mv testzip.zp testzip.zip 'testzip.zp' -> 'testzip.zip' vstinner@apu$ python3 testzip.zip ['testzip.zip', '/usr/lib64/python3.6', ...] # Same behaviour with -I vstinner@apu$ python3 -I testzip.zip ['testzip.zip', '/usr/lib64/python3.6', ...] --- The -I option: https://docs.python.org/dev/using/cmdline.html#id2 ---------- messages: 308310 nosy: steve.dower, vstinner priority: normal severity: normal status: open title: [Security] "python3 directory" inserts "directory" at sys.path[0] even in isolated mode type: security versions: Python 2.7, Python 3.6, Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32324> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
