Eryk Sun wrote:
On 2/24/20, email@example.com firstname.lastname@example.org wrote:
It is the intended and the expected behaviour. The working directory is always added to the sys.path. You mean always in this particular context, i.e. the working directory
is added normally when executing a command via -c or a module as a script via -m. When executing a script normally, the script directory gets added, which is reasonably secure.
Yeah, you are right.
Adding the working directory to sys.path is ok for the interactive shell and -c commands, but I don't understand why it gets added with -m, which is a security hole, and to me an annoyance. It can be disabled with isolated mode, but that's a blunt instrument that disables too much.
If current directory is not added to the sys.path, how can modules be imported outside PYTHONPATH? https://docs.python.org/3/glossary.html#term-import-path
Python cannot guess where your modules are if paths to search for them are not provided. If you run a script from terminal it is assumed that your modules are in the working directory.
Is another asumption possible? Maybe you can pass this path via CLI but I think that this is not currently possible. As long as I know, you must include your path in PYTHONPATH or run it from a proper directory.
Correct me if I am wrong.
On the other hand, can you explain why adding the current directory to importable paths creates a security hole? I am curious. No idea about this.