This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: sys.path is wrong in some cases
Type: Stage:
Components: Interpreter Core Versions:
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: georg.brandl, josiahcarlson, orib, zseil
Priority: normal Keywords:

Created on 2004-05-04 00:46 by orib, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (5)
msg20673 - (view) Author: Ori Berger (orib) Date: 2004-05-04 00:46
Python version tested: 2.3.3 (But if I read the cvs
annotate correctly, this goes all the way back to 2.0)
OS Version tested: Win2K (but any win32 version should
behave the same).

On Windows, sys,path sometimes contains the 'current
working directory', in which the Python process was
started, while the interpreter is still initializing;
it shouldn't be there until after the interpreter had
completed initializing and is ready for batch or
interactive execution.

How to reproduce:

Use plain-vanilla 2.3.3 Python, without _any_
additional module installed. The
HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.3\PythonPath
registry key must NOT have any subkey (this is true for
a fresh install, but might not be true if packages were
installed earlier).

Go to a subdirectory of your choice, e.g.,
C:\HoverCraft\Eels, and run (assuming Python is in
c:\python23)
> c:\python23\python -c "import sys; print sys.path"

The first entry should be the current directory or ''.
That's ok - it was added at the end of initialization.
The second entry will be a .zip file where the .dll is;
That's also ok. The third entry should be the current
directory (or '') again. THIS IS NOT OK.

How this was discovered:

To give credit where credit is due, my friend Oren
Gampel created a file called 'stat.py' in a directory,
and from that moment on, Python started complaining
about failing to import site. The reason is that 'site'
imports 'ntpath', which imports 'stat', which
unfortunately imported the new 'stat' rather than the
library 'stat'.

In some convoluted settings, this might have security
implications - e.g., if an administrator starts a
Python script in a directory to which a user has write
permissions, this could result in a privelege
escalation (even if the script has no import statements
at all - the implicit "import site" is sufficient).

I'm submitting a 2-line patch to the patch tracker (and
one of them is a comment!) that seems to solve this
problem.
msg20674 - (view) Author: Ori Berger (orib) Date: 2004-05-04 00:59
Logged In: YES 
user_id=67862

Patch uploaded to http://python.org/sf/947386
msg20675 - (view) Author: Josiah Carlson (josiahcarlson) * (Python triager) Date: 2004-05-21 00:06
Logged In: YES 
user_id=341410

This is the old "module in current path shadows standard
library module" issue which will be fixed in Python 2.4 via
absolute and relative imports as stated in PEP 328:

http://python.org/peps/pep-0328.html
msg20676 - (view) Author: Ziga Seilnacht (zseil) * (Python committer) Date: 2007-03-06 13:21
This was fixed in Python 2.5 with patch #1232023:
http://www.python.org/sf/1232023
msg20677 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2007-03-06 18:06
Closing accordingly.
History
Date User Action Args
2022-04-11 14:56:03adminsetgithub: 40212
2004-05-04 00:46:44oribcreate