[issue33944] Deprecate and remove pth files
Nick Coghlan
report at bugs.python.org
Tue Feb 26 08:19:51 EST 2019
Nick Coghlan <ncoghlan at gmail.com> added the comment:
Yep, I completely understand (and agree with) the desire to eliminate the code injection exploit that was introduced decades ago by using exec() to run lines starting with "import " (i.e. "import sys; <arbitrary code goes here>").
I just don't want to lose the "add this location to sys.path" behaviour that exists for lines in pth files that *don't* start with "import ", since that has plenty of legitimate use cases, and the only downside of overusing it is an excessively long default sys.path (which has far more consistent and obvious symptoms than the arbitrary code execution case can lead to).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33944>
_______________________________________
More information about the Python-bugs-list
mailing list