[Python-ideas] Security: remove "." from sys.path?
Chris Angelico
rosuav at gmail.com
Thu Jun 1 19:22:16 EDT 2017
On Fri, Jun 2, 2017 at 8:58 AM, Victor Stinner <victor.stinner at gmail.com> wrote:
>> (AIUI, the *current directory* is never on Python's path, but the
> *script directory* is. They're the same thing a lot of the time.)
>
> Oh, it's very common that I run a script from its directory, so yeah script
> directory = current directory on such case. Sorry for the confusion. You are
> right, it's the script directory that it added to sys.path and I would like
> to know if it would be possible to change that?
Yeah. The rest of my post assumed you meant script directory and, on
that basis, wholeheartedly agrees with you.
Ultimately, what I would like is for "import random" to be absolutely
dependably going to grab the stdlib "random" module, or at very least,
something that someone *deliberately* is shadowing that module with.
You shouldn't be able to accidentally shadow a stdlib module.
ChrisA
More information about the Python-ideas
mailing list