On 04Feb2017 09:19, Wildman <best_...@yahoo.com> wrote:
[...] Personally I don't understand
the danger in having the dot in the path. The './'
only means the current directory. DOS and Windows
has searched the current directory since their
beginning. Is that also dangerous?
Citing DOS and Windows as prior art doesn't support your "it seems safe"
argument :-)
When you run a program its behaviour should be predictable. If your execution
path or python module path includes "." (or some relative-path equivalent) in
it, the behaviour of the program becomes dependent on where you're standing
when you invoke it.
Who has not written a shell script called "ls" and left it in their home
directory, ready for one's friends to visit and run it by accident? Mine kicked
off a shell script that said "removing files now..." and started reciting
fictitious "rm" commands. In _their_ home directory. (Since they were invoking
it, that information is instantly available from $HOME.)
This is why having "." in your path (of whatever flavour), _particularly_ at
the front (but really in general), is hazardous. At the least your commands
become subject to misbehaviour through picking up the local (wrong) code; at
the worst your programs become subverted if somehow malevolent code is sitting
around somewhere.
Supposing you visit a dev directory with a testing (and _broken_) common module
or command. Misadventure ensues.
Supposing you're a sysadmin. Nasty!
Supposing you've shunted some malware into a directory for examination? CDing
_into_ that directoy to do the examination is then _actively dangerous_.
The list goes one.
This is why having "the current directory", of whatever flavour, in your path
is a bad idea in general.
Cheers,
Cameron Simpson <c...@zip.com.au>
--
https://mail.python.org/mailman/listinfo/python-list
