[Python-ideas] Security: remove "." from sys.path?
Stephan Houben
stephanh42 at gmail.com
Mon Jun 5 05:49:40 EDT 2017
What about just adding the -I (isolated mode) flag to the #! line of
installed scripts?
I was actually surprised this is not already done for the Python scripts in
/use/bin on my Ubuntu box.
Stephan
Op 5 jun. 2017 02:52 schreef "Mike Miller" <python-ideas at mgmiller.net>:
> I'd like to throw some cold water on this one, for the same reason I
> always add "." to the path in my shell, when some well-meaning soul has
> removed it. Why?
>
> It's 2017 and I've not shared a machine since the 1980's. I use immutable
> containers in the cloud that are not at this particular risk either. At a
> small company you might share a file server, but can trust fellow
> employees. At a large company, you might be at risk, but after many years
> at one I'd never heard of this actually happening.
>
> Guess that leaves hackers? Well, if they are already in...
>
> In short I submit this problem is mostly theoretical, as it hasn't
> occurred the decades(*cough*) of my experience. From small company to
> large, to the cloud. Has it ever occurred in the history of the world?
> Sure.
>
> On the other hand, requiring "from . " in front of many imports would make
> python a bit more tedious every single day, for everyone.
>
> -1
>
> -Mike
>
> p.s. Rearranging sys.path should be tolerable. Have wondered why the
> current dir was first.
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20170605/df4c9a75/attachment-0001.html>
More information about the Python-ideas
mailing list