[Python-ideas] Security: remove "." from sys.path?
Victor Stinner
victor.stinner at gmail.com
Thu Jun 1 12:30:57 EDT 2017
Hi,
Perl 5.26 succeeded to remove the current working directory from the
default include path (our Python sys.path):
https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-(%22.%22)-from- at INC
Would it technically possible to make this change in Python? Or would
it destroy the world? Sorry, it's a naive question (but honestly, I
don't know the answer.)
My main use case for "." in sys.path is to be to run an application
without installing it: run ./hachoir-metadata which loads the Python
"hachoir" module from the script directory. Sometimes, I run
explicitly "PYTHONPATH=$PWD ./hachoir-metadata".
But I don't think that running an application from the source without
installing it is the most common way to run an application. Most users
install applications to use them, no?
Enabling the isolated mode already prevents "." to be added to
sys.path: -I command line option.
https://docs.python.org/dev/using/cmdline.html#cmdoption-I
There is also an old idea of a "restricted" system Python which would
use a "fixed" sys.path.
Victor
More information about the Python-ideas
mailing list