On 5/9/2022 5:24 PM, Victor Stinner wrote:
If PYTHONSAFEPATH=1 only breaks a minority of use cases, maybe we can
consider to make it the default, as Perl did in Perl 5.26 (2017) to
increase its security:
https://perldoc.perl.org/perl5260delta#Removal-of-the-current-directory-(%22.%22)-from-@INC
Perl has an environment variable to get the old (Perl 5.24) behavior:
PERL_USE_UNSAFE_INC=1.
If enough people consider that it would be a good idea to change the
default, I can maybe write a full PEP (I already have some notes).
Even if the PEP is rejected, it might be a good thing to write down
everything about this topic since it's a common issue hit by users
learning Python and a common question of people auditing the Python
security. I was asked a few months ago about changing the default to
increase Python security.
It's possibly worth writing it down, but I'm pretty sure it would impact
more people than it's worth. I quite often see people who are relying on
both empty sys.path[0] and implicit namespace packages for all of their
imports, often without realising it.
If we are able to add an warning on import via an empty sys.path entry,
that might be useful enough, but it could also serve as a deprecation
warning without necessarily putting a timeline on it (and also as
advertising for the new option).
Cheers,
Steve
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/FBDN23BFF24OZPZAXAFXQE3KMFFXHTTC/
Code of Conduct: http://python.org/psf/codeofconduct/