Eryk Sun wrote: > On 2/24/20, jdve...@gmail.com jdve...@gmail.com wrote: > > > > It is the intended and the expected behaviour. The > > working directory is > > always added to the sys.path. > > You mean always in this particular context, i.e. the working directory > is added normally when executing a command via -c or a module as a > script via -m. When executing a script normally, the script directory > gets added, which is reasonably secure.
Yeah, you are right. > Adding the working directory to sys.path is ok for the interactive > shell and -c commands, but I don't understand why it gets added with > -m, which is a security hole, and to me an annoyance. It can be > disabled with isolated mode, but that's a blunt instrument that > disables too much. If current directory is not added to the sys.path, how can modules be imported outside PYTHONPATH? https://docs.python.org/3/glossary.html#term-import-path Python cannot guess where your modules are if paths to search for them are not provided. If you run a script from terminal it is assumed that your modules are in the working directory. Is another asumption possible? Maybe you can pass this path via CLI but I think that this is not currently possible. As long as I know, you must include your path in PYTHONPATH or run it from a proper directory. Correct me if I am wrong. On the other hand, can you explain why adding the current directory to importable paths creates a security hole? I am curious. No idea about this. _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/CPAI6PX3VITXJQLA53CJ6QMAT2T5T5I6/ Code of Conduct: http://python.org/psf/codeofconduct/
