[New-bugs-announce] [issue33053] Running a module with `-m` will add empty directory to sys.path
Antti Haapala
report at bugs.python.org
Mon Mar 12 07:57:15 EDT 2018
New submission from Antti Haapala <antti at haapala.name>:
I think this is a really stupid security bug. Running a module with `-mmodule` seems to add '' as a path in sys.path, and in front. This is doubly wrong, because '' will stand for whatever the current working directory might happen to be at the time of the *subsequent import statements*, i.e. it is far worse than https://bugs.python.org/issue16202
I.e. whereas python3 /usr/lib/module.py wouldn't do that, python3 -mmodule would make it so that following a chdirs in code, imports would be executed from arbitrary locations. Verified on MacOS X, Ubuntu 17.10, using variety of Python versions up to 3.7.
----------
components: Interpreter Core
messages: 313641
nosy: ztane
priority: normal
severity: normal
status: open
title: Running a module with `-m` will add empty directory to sys.path
type: security
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33053>
_______________________________________
More information about the New-bugs-announce
mailing list