Issue 947380: sys.path is wrong in some cases (original) (raw)

Python version tested: 2.3.3 (But if I read the cvs annotate correctly, this goes all the way back to 2.0) OS Version tested: Win2K (but any win32 version should behave the same).

On Windows, sys,path sometimes contains the 'current working directory', in which the Python process was started, while the interpreter is still initializing; it shouldn't be there until after the interpreter had completed initializing and is ready for batch or interactive execution.

How to reproduce:

Use plain-vanilla 2.3.3 Python, without any additional module installed. The HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.3\PythonPath registry key must NOT have any subkey (this is true for a fresh install, but might not be true if packages were installed earlier).

Go to a subdirectory of your choice, e.g., C:\HoverCraft\Eels, and run (assuming Python is in c:\python23)

c:\python23\python -c "import sys; print sys.path"

The first entry should be the current directory or ''. That's ok - it was added at the end of initialization. The second entry will be a .zip file where the .dll is; That's also ok. The third entry should be the current directory (or '') again. THIS IS NOT OK.

How this was discovered:

To give credit where credit is due, my friend Oren Gampel created a file called 'stat.py' in a directory, and from that moment on, Python started complaining about failing to import site. The reason is that 'site' imports 'ntpath', which imports 'stat', which unfortunately imported the new 'stat' rather than the library 'stat'.

In some convoluted settings, this might have security implications - e.g., if an administrator starts a Python script in a directory to which a user has write permissions, this could result in a privelege escalation (even if the script has no import statements at all - the implicit "import site" is sufficient).

I'm submitting a 2-line patch to the patch tracker (and one of them is a comment!) that seems to solve this problem.