[Python-ideas] Security: remove "." from sys.path?

Eric Snow ericsnowcurrently at gmail.com
Sat Jun 3 12:45:20 EDT 2017


On Sat, Jun 3, 2017 at 4:36 AM, Steven D'Aprano <steve at pearwood.info> wrote:
> I believe that it is also a feature for scripts to be able to depend on
> resources in their directory, including other modules. That's the
> current behaviour. [snip]
>
> Broken or not, removing '' from the sys.path will break scripts that
> expect to import modules in their directory. [snip]

Which is why the implicit sys.path entry probably can't go away, even
though it would be nice in some ways.  IIRC, in the past Guido has
indicated he's opposed dropping the implicit sys.path entry for
reasons along these lines.

>
> How about... ?
>
> - in 3.7, we add a pair of command line flags, let's say:
>
>     --script-directory      # add '' to sys.path when running scripts
>     --no-script-directory   # don't add '' to sys.path

In http://bugs.python.org/issue13475 spells these as "--path0" and
"--nopath0".  Also see http://www.python.org/dev/peps/pep-0395/ for
"ways that the current automatic initialisation of sys.path[0] can go
wrong" (quoted from the issue).

>
>   with the default remaining to add it
>
> - add a warning to 3.7 whenever you import a module from ''
>
> - in 3.9, we move '' to the end of sys.path instead of the start

Both seem okay.  Doing so would help with some of the reasons detailed
in PEP 395.  However we'd need to be sure the consequences are as
minimal as they seem. :)

>
> - and in 3.9, the default changes to not adding '' to sys.path unless
>   explicitly requested.

We'd need to make sure there was a simple, obvious replacement.  I'm
not convinced dropping the implicit sys.path entry is worth doing
though.

-eric


More information about the Python-ideas mailing list