Mailing List Archive

Test Python 3.11 beta1 with PYTHONSAFEPATH=1
Hi,

I added the -P command line option and the PYTHONSAFEPATH=1
environment variable to Python 3.11 beta 1 to not prepend an "unsafe
path" to sys.path such as the script's directory or the current
directory:

https://docs.python.org/dev/using/cmdline.html#cmdoption-P

Example:
----------
$ echo 'Nope!' >random.py # broken module
$ echo 'import random; print(random.randint(1, 6))' >dice.py

$ python3.11 dice.py # default behavior
(...) File "/home/vstinner/random.py", line 1 (...)
SyntaxError: invalid syntax

$ python3.11 -P dice.py # ignore local random.py
4
----------

Please test Python 3.11 beta1 with the PYTHONSAFEPATH=1 environment
variable set, or at least run python with the -P option. I'm curious
which use cases are not affected and which use cases are affected.

The PYTHONSAFEPATH=1 environment variable is inherited and so affect
child processes. It can break applications relying on Python 3.10
sys.path behavior. I proposed adding -p option which does the opposite
of the -P option: opt-in for Python 3.10 "unsafe" sys.path behavior,
ignore the PYTHONSAFEPATH environment variable:

https://github.com/python/cpython/pull/92361

If PYTHONSAFEPATH=1 only breaks a minority of use cases, maybe we can
consider to make it the default, as Perl did in Perl 5.26 (2017) to
increase its security:
https://perldoc.perl.org/perl5260delta#Removal-of-the-current-directory-(%22.%22)-from-@INC

Perl has an environment variable to get the old (Perl 5.24) behavior:
PERL_USE_UNSAFE_INC=1.

If enough people consider that it would be a good idea to change the
default, I can maybe write a full PEP (I already have some notes).
Even if the PEP is rejected, it might be a good thing to write down
everything about this topic since it's a common issue hit by users
learning Python and a common question of people auditing the Python
security. I was asked a few months ago about changing the default to
increase Python security.

Victor
--
Night gathers, and now my watch begins. It shall not end until my death.
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/VO5A6K5O5HB563PNYZZ3SN57LIXRJTPC/
Code of Conduct: http://python.org/psf/codeofconduct/
Re: Test Python 3.11 beta1 with PYTHONSAFEPATH=1 [ In reply to ]
On 5/9/2022 5:24 PM, Victor Stinner wrote:
> If PYTHONSAFEPATH=1 only breaks a minority of use cases, maybe we can
> consider to make it the default, as Perl did in Perl 5.26 (2017) to
> increase its security:
> https://perldoc.perl.org/perl5260delta#Removal-of-the-current-directory-(%22.%22)-from-@INC
>
> Perl has an environment variable to get the old (Perl 5.24) behavior:
> PERL_USE_UNSAFE_INC=1.
>
> If enough people consider that it would be a good idea to change the
> default, I can maybe write a full PEP (I already have some notes).
> Even if the PEP is rejected, it might be a good thing to write down
> everything about this topic since it's a common issue hit by users
> learning Python and a common question of people auditing the Python
> security. I was asked a few months ago about changing the default to
> increase Python security.

It's possibly worth writing it down, but I'm pretty sure it would impact
more people than it's worth. I quite often see people who are relying on
both empty sys.path[0] and implicit namespace packages for all of their
imports, often without realising it.

If we are able to add an warning on import via an empty sys.path entry,
that might be useful enough, but it could also serve as a deprecation
warning without necessarily putting a timeline on it (and also as
advertising for the new option).

Cheers,
Steve
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/FBDN23BFF24OZPZAXAFXQE3KMFFXHTTC/
Code of Conduct: http://python.org/psf/codeofconduct/