[issue35971] Documentation should warn about code injection from current working directory

Nick Coghlan added the comment: Folks use "python -m myproject.mymodule" to run code that they're working on all the time - it's currently the only way to get sys.path right for cases like that (otherwise you're exposed to the double import trap, where you can get two copies of a submodule

[issue35971] Documentation should warn about code injection from current working directory

Eric Snow added the comment: Note that I've asked Guido to comment about CWD in sys.path on issue #35969. -- ___ Python tracker ___

[issue35971] Documentation should warn about code injection from current working directory

Eric Snow added the comment: related: issue #13475 -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue35971] Documentation should warn about code injection from current working directory

STINNER Victor added the comment: If someone wants to change the Python default behavior, a PEP will be required since it would be a major backward incompatible changes. A lot of details and use cases must be discussed and documented. -- ___

[issue35971] Documentation should warn about code injection from current working directory

Eric Snow added the comment: +Nick (who may have some insight here) -- nosy: +eric.snow, ncoghlan ___ Python tracker ___ ___

[issue35971] Documentation should warn about code injection from current working directory

Ronald Oussoren added the comment: I don't know a good reason for including $PWD in sys.path for "python -m", I expect only scripts that run other scripts (such as coverage.py) might want the current behaviour and those can adjust to new behaviour. For "python -c CMD" the current behaviour

[issue35971] Documentation should warn about code injection from current working directory

STINNER Victor added the comment: Documentation is one thing. But I'm interested to discuss again (in 2019) the idea of changing the default behavior in Python 3.8 to enhance the "default" security. -- ___ Python tracker

[issue35971] Documentation should warn about code injection from current working directory

Karthikeyan Singaravelan added the comment: The change in behavior of Perl was discussed in https://mail.python.org/pipermail/python-ideas/2017-June/045842.html -- nosy: +vstinner, xtreak ___ Python tracker

[issue35971] Documentation should warn about code injection from current working directory

New submission from Gabriel Corona : The CLI tools shipped in Debian python-rdflib-tools package can load modules from the current directory [1]: $ echo 'print("Something")' > cgi.py $ rdf2dot INFO:rdflib:RDFLib Version: 4.2.2 Something Reading from stdin as None... This