[issue33053] Running a module with `-m` will add empty directory to sys.path

Jakub Wilk report at bugs.python.org
Fri Mar 16 14:50:11 EDT 2018


Jakub Wilk <jwilk at jwilk.net> added the comment:

FWIW, this behavior is documented:

https://docs.python.org/3/using/cmdline.html#cmdoption-m
"As with the -c option, the current directory will be added to the start of sys.path."

With the -c option, at least you could easily remove the sys.path element yourself:

   python -c 'import sys; sys.path.remove(""); ...'

(This works, because sys is always a builtin module, so it won't be imported from cwd.)

I don't see any obvious way to make "python -m foo" secure in untrusted cwd, though.
The best I could come up with is:

   python -c 'import sys; sys.path.remove(""); import runpy; runpy._run_module_as_main("foo")'

which is quite insane.

----------
nosy: +jwilk

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33053>
_______________________________________


More information about the Python-bugs-list mailing list