best way to ensure './' is at beginning of sys.path?
Cameron Simpson
cs at zip.com.au
Sat Feb 4 18:43:20 EST 2017
On 04Feb2017 09:19, Wildman <best_lay at yahoo.com> wrote:
>[...] Personally I don't understand
>the danger in having the dot in the path. The './'
>only means the current directory. DOS and Windows
>has searched the current directory since their
>beginning. Is that also dangerous?
Citing DOS and Windows as prior art doesn't support your "it seems safe"
argument :-)
When you run a program its behaviour should be predictable. If your execution
path or python module path includes "." (or some relative-path equivalent) in
it, the behaviour of the program becomes dependent on where you're standing
when you invoke it.
Who has not written a shell script called "ls" and left it in their home
directory, ready for one's friends to visit and run it by accident? Mine kicked
off a shell script that said "removing files now..." and started reciting
fictitious "rm" commands. In _their_ home directory. (Since they were invoking
it, that information is instantly available from $HOME.)
This is why having "." in your path (of whatever flavour), _particularly_ at
the front (but really in general), is hazardous. At the least your commands
become subject to misbehaviour through picking up the local (wrong) code; at
the worst your programs become subverted if somehow malevolent code is sitting
around somewhere.
Supposing you visit a dev directory with a testing (and _broken_) common module
or command. Misadventure ensues.
Supposing you're a sysadmin. Nasty!
Supposing you've shunted some malware into a directory for examination? CDing
_into_ that directoy to do the examination is then _actively dangerous_.
The list goes one.
This is why having "the current directory", of whatever flavour, in your path
is a bad idea in general.
Cheers,
Cameron Simpson <cs at zip.com.au>
More information about the Python-list
mailing list