[Python-ideas] Security: remove "." from sys.path?

[Nick Coghlan]

On 5 June 2017 at 20:55, Victor Stinner <victor.stinner at gmail.com> wrote:
> A minimum change would be to add the (empty string) at the end of sys.path
> in Python 3.7 rather than adding it at the start.
>
> It would increase Python usability since it avoids the "random has no
> randint() function" caused by a random.py file in the script directory. In
> my experience, this bug hits every developers starting to learn Python and
> it can be very strange when you get the error when trying to run IDLE.
>
> I don't think that a new command line parameter is required. It's already
> easy enough to prepend something to sys.path directly in the script. And I
> consider that it's a very rare use case.

The biggest problem with this approach is that it means that adding
new standard library modules becomes a backwards compatibility break -
scripts that used to work will now fail since they'll get the standard
library module rather than the previously implicit main relative
import. At the moment we don't have that problem - as with new
builtins, adding a new standard library module may mean people have to
rename things to get access to it, but their current code won't
actually *break* as a result of the new name being assigned.

Hence the "from . import helper" idea - that's unambiguous, so it will
always get the co-located library, even if we later add "helper" to
the standard library.

That said, if we *just* wanted to fix the "random has no attribute
randint" problem, without any other side effects, we could potentially
special case __main__.__file__ in the import system such that we
always ignored it, even if it could technically satisfy the current
import request.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia