[Python-ideas] Security: remove "." from sys.path?
Victor Stinner
victor.stinner at gmail.com
Thu Jun 1 12:30:57 EDT 2017
More information about the Python-ideas mailing list
Thu Jun 1 12:30:57 EDT 2017
- Previous message (by thread): [Python-ideas] Allow function to return multiple values
- Next message (by thread): [Python-ideas] Security: remove "." from sys.path?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, Perl 5.26 succeeded to remove the current working directory from the default include path (our Python sys.path): https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-(%22.%22)-from- at INC Would it technically possible to make this change in Python? Or would it destroy the world? Sorry, it's a naive question (but honestly, I don't know the answer.) My main use case for "." in sys.path is to be to run an application without installing it: run ./hachoir-metadata which loads the Python "hachoir" module from the script directory. Sometimes, I run explicitly "PYTHONPATH=$PWD ./hachoir-metadata". But I don't think that running an application from the source without installing it is the most common way to run an application. Most users install applications to use them, no? Enabling the isolated mode already prevents "." to be added to sys.path: -I command line option. https://docs.python.org/dev/using/cmdline.html#cmdoption-I There is also an old idea of a "restricted" system Python which would use a "fixed" sys.path. Victor
- Previous message (by thread): [Python-ideas] Allow function to return multiple values
- Next message (by thread): [Python-ideas] Security: remove "." from sys.path?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-ideas mailing list