- Dec 2021: bad magic number in 'six'.
The VMware Perl SDK installation process created
/usr/bin/six.pyc
. - May 2020: Python flag/envvar to not put current directory on sys.path (but don’t ignore PYTHONPATH)
- Mar 2018: bpo-33053:
Avoid adding an empty directory to
sys.path
when running a module with-m
. - Jun 2017: [Python-ideas] Security: remove "." from sys.path?
- Oct 2015: CVE-2015-5652 about malicious
readline.pyd
in the current directory on Windows. - Mar 2014: Python 3.4 adds
-I
option: isolated mode. - Oct 2012: bpo-16202:
sys.path[0]
security issues - Oct 2012: Sage: Python sys.path security risk. The Sage test suite is vulnerable
to stdlib module overridden in
/tmp
directory like/tmp/socket.py
. - Nov 2011: bpo-13506: IDLE sys.path does not contain Current Working Directory
- Nov 2011: bpo-13475:
Add
--mainpath
/--nomainpath
command line options to overridesys.path[0]
initialisation - Nov 2011: debian-python: Re: ImportError: No module named multiarray (is back)
- Jun 2011: PEP 405 -- Python Virtual Environments. It adds the
pyvenv.cfg
configuration file. - Mar 2011: PEP 395 -- Qualified Names for Modules
- Aug 2009: [Python-Dev] Excluding the current path from module search path?
- Apr 2009: bpo-5753: CVE-2008-5983 python: untrusted python modules search path. It adds the PySys_SetArgvEx() function to Python 2.6.6 and Python 3.1.3.
- Dec 2008: Python 3.0 is released with absolute imports by default
- May 2004: bpo-946373: Do not add directory of sys.argv[0] into sys.path
- Dec 2003: PEP 328 -- Imports: Multi-Line and Absolute/Relative
Option:
--path0
and--nopath0
--mainpath
and--nomainpath
-p
and-P
Command | sys.path[0] |
---|---|
python -m module |
os.getcwd() |
python -c code |
'' |
python script.py |
os.path.realpath('script.py') |
REPL: python |
'' |
XXX what if os.chdir() is called?
Python 3.X changed __file__ to make it absolute
On Unix, modifying the standard library requires the administrator permission. Python supports user directory which can be modified by the current user.
The Windows installer installed Python 2.7 in C:\Python27
by default which
can be modified by regular users. The Windows installer of Python 3 now
installs Python in C:\Program Files
which can only be modified by the
administrator.
On Windows 8.1 and older, the Windows installer is vulnerable to DLL injection: if a malicious DLL is created in the same download directory that the Python installer, the DLL is loaded by the Windows installer.
Moreover, the installation of pip
by the Windows installer can also loads
malicious DLL installed in of the PATH
directories.
- Add a warning when the script is in a world-writable directory: https://bugs.python.org/issue16202#msg172756
XXX sys.stdlib_module_names XXX
Multiple long options cannot be used.
In May 2017, the Perl 5.26 release removes the current directory from the default module search path: Removal of the current directory (".") from @INC.
argv[0]
of the Cmain()
function: name and path of the Python program- Command line options:
-s
: don't add the user site directory-E
: ignore environment variables-I
: isolated mode (imply-E -s
)
- Environment variables:
PATH
(to getargv[0]
absolute path)PYTHONEXECUTABLE
(macOS)PYTHONHOME
PYTHONNOUSERSITE
PYTHONPATH
PYTHONPLATLIBDIR
__PYVENV_LAUNCHER__
(macOS)
- Configuration files:
pybuilddir.txt
python._pth
pyvenv.cfg
- On Windows, application paths in the registry under
SoftwarePythonPythonCoreX.YPythonPath
ofHKEY_CURRENT_USER
andHKEY_LOCAL_MACHINE
(whereX.Y
is the Python version).
Moreover, a path is prepended to sys.path
: see: Python 3.10 sys.path[0].
See the Python Path Configuration for more details.
xxx
xxx