[issue32324] [Security] "python3 directory" inserts "directory" at sys.path[0] even in isolated mode

[Steve Dower]

Steve Dower <steve.dower at python.org> added the comment:

> A compromise would be to refuse to start on "python3 -I directory" to remain secure

What would that achieve, considering that "python3 -I directory/__main__.py" would let you start with exactly the same sys.path?[*]

The only change that might be of any value would be to resolve the path as early as possible so that an absolute path is added to sys.path[0]. 

Not adding the directory of the startup script is a breaking change with no security benefits -- it has to stay there. -I is not a protection against command-line arguments.

[*] On Windows, using the filename seems to resolve the directory while using just the directory name does not. I'm not sure why they aren't identical, and obviously I think they should be, but I'd expect the initialization work to streamline it (when getpath.c becomes sensible).

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32324>
_______________________________________