[Python-ideas] Security: remove "." from sys.path?
Nick Coghlan
ncoghlan at gmail.com
Sat Jun 3 10:42:41 EDT 2017
On 2 June 2017 at 02:30, Victor Stinner <victor.stinner at gmail.com> wrote:
> Hi,
>
> Perl 5.26 succeeded to remove the current working directory from the
> default include path (our Python sys.path):
>
> https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-(%22.%22)-from- at INC
>
> Would it technically possible to make this change in Python? Or would
> it destroy the world? Sorry, it's a naive question (but honestly, I
> don't know the answer.)
>
> My main use case for "." in sys.path is to be to run an application
> without installing it: run ./hachoir-metadata which loads the Python
> "hachoir" module from the script directory. Sometimes, I run
> explicitly "PYTHONPATH=$PWD ./hachoir-metadata".
>
> But I don't think that running an application from the source without
> installing it is the most common way to run an application. Most users
> install applications to use them, no?
Scripts are very frequently run without installing them, as are things
like Jupyter Notebooks, so any change along these lines would need to
be carefully planned to avoid being unduly disruptive.
It's entirely feasible at a technical level, though -
https://bugs.python.org/issue29929 describes one way to move away from
"import X" for __main__ relative imports and towards "from . import
X", which essentially involves turning __main__ into a package in its
own right when its a directly executed script.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list