New submission from Antti Haapala <an...@haapala.name>: I think this is a really stupid security bug. Running a module with `-mmodule` seems to add '' as a path in sys.path, and in front. This is doubly wrong, because '' will stand for whatever the current working directory might happen to be at the time of the *subsequent import statements*, i.e. it is far worse than https://bugs.python.org/issue16202
I.e. whereas python3 /usr/lib/module.py wouldn't do that, python3 -mmodule would make it so that following a chdirs in code, imports would be executed from arbitrary locations. Verified on MacOS X, Ubuntu 17.10, using variety of Python versions up to 3.7. ---------- components: Interpreter Core messages: 313641 nosy: ztane priority: normal severity: normal status: open title: Running a module with `-m` will add empty directory to sys.path type: security _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue33053> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
