[issue32551] 3.5.4 has a regression that was fixed in 3.6.1rc1
Nick Coghlan
report at bugs.python.org
Sun Jan 14 23:03:03 EST 2018
Nick Coghlan <ncoghlan at gmail.com> added the comment:
Unfortunately, it looks like bpo-29319 was backported to the 3.5 branch, but not the follow-up fix from bpo-29723: https://github.com/python/cpython/commits/3.5/Modules/main.c
(The metadata on bpo-29319 indicated that the original change was targeted at 3.6+ only, and I didn't notice the message that mentioned the 3.5 branch, so I never even looked at 3.5 when working on bpo-29723 - I just assumed it wasn't affected)
Adding unexpected directories to sys.path can definitely be a security problem, so I think the fix should be backported for 3.5.5, but I'm also wondering whether it might be a significant enough regression to warrant an extra "Oops, sorry, we broke it" binary release. (We don't have any good usage numbers on how often folks use directory execution vs other forms of execution, so we don't know how widespread any impact is likely to be)
----------
nosy: +steve.dower
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32551>
_______________________________________
More information about the Python-bugs-list
mailing list