[Python-ideas] Security: remove "." from sys.path?
Mike Miller
python-ideas at mgmiller.net
Sun Jun 4 20:44:53 EDT 2017
I'd like to throw some cold water on this one, for the same reason I always add
"." to the path in my shell, when some well-meaning soul has removed it. Why?
It's 2017 and I've not shared a machine since the 1980's. I use immutable
containers in the cloud that are not at this particular risk either. At a small
company you might share a file server, but can trust fellow employees. At a
large company, you might be at risk, but after many years at one I'd never heard
of this actually happening.
Guess that leaves hackers? Well, if they are already in...
In short I submit this problem is mostly theoretical, as it hasn't occurred the
decades(*cough*) of my experience. From small company to large, to the cloud.
Has it ever occurred in the history of the world? Sure.
On the other hand, requiring "from . " in front of many imports would make
python a bit more tedious every single day, for everyone.
-1
-Mike
p.s. Rearranging sys.path should be tolerable. Have wondered why the current
dir was first.
More information about the Python-ideas
mailing list