[issue32324] [Security] "python3 directory" inserts "directory" at sys.path[0] even in isolated mode
STINNER Victor
report at bugs.python.org
Thu Dec 14 11:09:15 EST 2017
New submission from STINNER Victor <victor.stinner at gmail.com>:
Christian Heimes, author of the -I option (isolated mode), asked me to open an issue to check if the following behaviour is correct (safe in term of security).
"python3 directory" inserts "directory" at sys.path[0], even in isolated mode. Example:
---
vstinner at apu$ mkdir directory
vstinner at apu$ echo "import pprint, sys; pprint.pprint(sys.path)" > directory/__main__.py
vstinner at apu$ python3 directory
['directory',
'/usr/lib64/python3.6',
...]
# Same behaviour with -I
vstinner at apu$ python3 -I directory
['directory',
'/usr/lib64/python3.6',
...]
---
Same behaviour for a ZIP file:
---
vstinner at apu$ cd directory/
vstinner at apu$ zip ../testzip.zp __main__.py
adding: __main__.py (deflated 20%)
vstinner at apu$ cd ..
vstinner at apu$ python3 testzip.zip
python3: can't open file 'testzip.zip': [Errno 2] No such file or directory
vstinner at apu$ mv testzip.zp testzip.zip
'testzip.zp' -> 'testzip.zip'
vstinner at apu$ python3 testzip.zip
['testzip.zip',
'/usr/lib64/python3.6',
...]
# Same behaviour with -I
vstinner at apu$ python3 -I testzip.zip
['testzip.zip',
'/usr/lib64/python3.6',
...]
---
The -I option:
https://docs.python.org/dev/using/cmdline.html#id2
----------
messages: 308310
nosy: steve.dower, vstinner
priority: normal
severity: normal
status: open
title: [Security] "python3 directory" inserts "directory" at sys.path[0] even in isolated mode
type: security
versions: Python 2.7, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32324>
_______________________________________
More information about the Python-bugs-list
mailing list