Jakub Wilk <jw...@jwilk.net> added the comment: FWIW, this behavior is documented:
https://docs.python.org/3/using/cmdline.html#cmdoption-m "As with the -c option, the current directory will be added to the start of sys.path." With the -c option, at least you could easily remove the sys.path element yourself: python -c 'import sys; sys.path.remove(""); ...' (This works, because sys is always a builtin module, so it won't be imported from cwd.) I don't see any obvious way to make "python -m foo" secure in untrusted cwd, though. The best I could come up with is: python -c 'import sys; sys.path.remove(""); import runpy; runpy._run_module_as_main("foo")' which is quite insane. ---------- nosy: +jwilk _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue33053> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
