[Python-ideas] Security: remove "." from sys.path?

Sat Jun 3 09:50:00 EDT 2017

How about `import self.thing` (where "self" implies same dir as the 
current .py - if it's a dir-based package, then "self" is that dir) and 
`import super.thing` (where "super" implies parent package *locked to 
parent dir*. if there isn't any (top level package or main script), 
fail-by-default but let scripts override this behaviour (some scripts 
may want to reconfigure it to ignore "super" if there is no super))

With `import __future__.self_super_packages` to enable it.

This should then allow '' to be completely removed, since you can just 
use `self` and/or `super`. Imports using `self.thing` should have their 
`super` set to the current `self`, e.g.

./main.py
import self.xy

./xy/__init__.py
import super.zy

./zy/__init__.py
print "hello world"

Should print "hello world" when you run main.py, even if there are 
modules `xy` and `zy` in the python path and no ''.

On 2017-06-03 10:23 AM, Chris Angelico wrote:
> On Sat, Jun 3, 2017 at 8:36 PM, Steven D'Aprano <steve at pearwood.info> wrote:
>> On Fri, Jun 02, 2017 at 12:36:59PM +1000, Chris Angelico wrote:
>>
>> [...]
>>>> I expect that moving '' to the end of sys.path will be a less disruptive
>>>> change than removing it.
>>> This is true. However, anything that depends on the current behaviour
>>> (intentionally or otherwise) would be just as broken as if it were
>>> removed,
>> I don't think we've agreed that the current behaviour is broken. I
>> think we agree that:
>>
>> - it is unfortunate when people accidentally shadow the stdlib;
>>
>> - it is a feature to be able to intentionally shadow the stdlib.
>>
>> I believe that it is also a feature for scripts to be able to depend on
>> resources in their directory, including other modules. That's the
>> current behaviour. I don't know if you agree, but if you want to argue
>> that's "broken", you should do so explicitly.
> No, I'm not arguing that that behaviour is broken. Unideal, perhaps,
> but definitely not broken. What I said was that an application that
> depends on "import secrets" picking up secrets.py in the current
> directory is just as broken if '' is moved to the end as if it's
> removed altogether. By moving it to the end, we increase the chances
> that a minor version will break someone's code; by removing it
> altogether and forcing people to write "from . import secrets" (either
> with an implicit package or making people explicitly create
> __init__.py), we also force the issue to be fixed earlier. Instead of
> a potential future breakage, we have an immediate breakage with an
> easy and obvious solution.
>
> That's not to say that I don't think moving '' to the end would be an
> advantage. I just think that, if we're proposing to change the current
> behaviour and thus potentially break people's current code, we should
> fix the problem completely rather than merely reducing it.
>
> ChrisA
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/