[New-bugs-announce] [issue32324] [Security] "python3 directory" inserts "directory" at sys.path[0] even in isolated mode

[STINNER Victor]

New submission from STINNER Victor <victor.stinner at gmail.com>:

Christian Heimes, author of the -I option (isolated mode), asked me to open an issue to check if the following behaviour is correct (safe in term of security).

"python3 directory" inserts "directory" at sys.path[0], even in isolated mode. Example:
---
vstinner at apu$ mkdir directory
vstinner at apu$ echo "import pprint, sys; pprint.pprint(sys.path)" > directory/__main__.py

vstinner at apu$ python3 directory
['directory',
 '/usr/lib64/python3.6',
 ...]

# Same behaviour with -I
vstinner at apu$ python3 -I directory
['directory',
 '/usr/lib64/python3.6',
 ...]
---


Same behaviour for a ZIP file:
---
vstinner at apu$ cd directory/
vstinner at apu$ zip ../testzip.zp __main__.py 
  adding: __main__.py (deflated 20%)
vstinner at apu$ cd ..
vstinner at apu$ python3 testzip.zip
python3: can't open file 'testzip.zip': [Errno 2] No such file or directory
vstinner at apu$ mv testzip.zp testzip.zip 
'testzip.zp' -> 'testzip.zip'

vstinner at apu$ python3 testzip.zip
['testzip.zip',
 '/usr/lib64/python3.6',
 ...]

# Same behaviour with -I
vstinner at apu$ python3 -I testzip.zip
['testzip.zip',
 '/usr/lib64/python3.6',
 ...]
---

The -I option:
https://docs.python.org/dev/using/cmdline.html#id2

----------
messages: 308310
nosy: steve.dower, vstinner
priority: normal
severity: normal
status: open
title: [Security] "python3 directory" inserts "directory" at sys.path[0] even in isolated mode
type: security
versions: Python 2.7, Python 3.6, Python 3.7

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32324>
_______________________________________