UNABLE TO GET IDLE TO RUN

Wed Oct 28 14:21:01 EDT 2015

Michael Torrie wrote:

> On 10/28/2015 10:10 AM, Peter Otten wrote:
>> Terry Reedy wrote:
>> 
>> Thank you for your patience.
>> 
>>> Why do you think it a misfeature for IDLE to execute code the way Python
>>> does?
>> 
>> Sadly I wasn't aware that the interactive interpreter is also vulnerable.
>> I should have been, but failed to add one and one.
>> 
>> Until now I have often started python in a directory with unknown
>> contents, to use it as a calculator or to explore the files in that
>> directory.
>> 
>> I will stop doing so.
> 
> I'm curious what behavior you would suggest?

I didn't suggest anything, because I didn't see a practical remedy. 

> In the case of the bare interactive interpreter, since there's no script
> loaded, the current directory is added so you can import modules you are
> working on.  I do this all the time to help with testing and development
> of my projects' modules. This behavior makes perfect sense to me and I
> don't see any other practical alternative that is useful, expect for
> some syntax that differentiates between "local" imports and system ones.
>  Not being able to easily import local modules would make the
> interactive interpreter next to useless for me.
> 
> Given that this is only the behavior for interactive Python anyway, I
> don't see this as a significant vulnerability. If a bad guy is littering
> your working directories with malicious python programs you might
> import, you've already lost. No amount of Python tweaks are going to
> save you.

The problematic module might not even be malicious, it could just lack the 

if __name__ == "__main__": ...

guard.

And I am the bad guy I have in mind ;)

When I download a Python project, have a look at it and then fire up an 
editor...

$ hg clone http://www.example.com/whatever
$ cd whatever
$ ls -1
interesting_stuff.py
...
string.py
...
also_interesting.py
...
readline.py
...
$ idle  # or $ python

I don't want to check if there are any modules in the project that have 
names that will cause idle or python to import them instead of those it 
actually needs.

Safer behaviour might be achieved by deferring the addition of the current 
directory to the path until idle or the interactive interpreter is 
completely set up or even by limiting import during the interpreter startup 
to built-in modules or a whitelist.

PS: The shell people have learned their lesson and no longer include the 
working directory in the PATH: 
$ ls # the real thing
$ ./ls # use at your own risk

So maybe

>>> import string  # stdlib
>>> from . import string  # whatever you dropped into your working directory

OK, probably not (just brainstorming).