[PATCH RFC-STABLE] warn about harmful PYTHONPATH values (issue2557)

Pierre-Yves David pierre-yves.david at ens-lyon.org
Sat May 12 03:59:35 CDT 2012 

On Sat, May 12, 2012 at 12:18:00AM +0200, Matt Mackall wrote:
> On Wed, 2012-05-09 at 19:17 +0200, Pierre-Yves David wrote:
> > On Fri, May 04, 2012 at 11:33:50AM -0500, Matt Mackall wrote:
> > > On Fri, 2012-05-04 at 14:25 +0200, pierre-yves.david at logilab.fr wrote:
> > > > # HG changeset patch
> > > > # User Pierre-Yves David <pierre-yves.david at logilab.fr>
> > > > # Date 1336134161 -7200
> > > > # Branch stable
> > > > # Node ID 62db511c03ef5af6a421512e788a642bdacf5d24
> > > > # Parent  9450905de257e1ed09e1855ede0305567cf07b51
> > > > warn about harmful PYTHONPATH values (issue2557)
> > > > 
> > > > The following values will add $PWD to `sys.path`::
> > > > 
> > > >   PYTHONPATH='/foo/bar/:/jungle/babar:'
> > > >   PYTHONPATH=':/foo/bar/:/jungle/babar'
> > > >   PYTHONPATH='/foo/bar/::/jungle/babar'
> > > >   PYTHONPATH=''
> > > > 
> > > > This changeset add a warning at mercurial startup about the issue::
> > > > 
> > > >   WARNING: your PYTHONPATH end with ":"!
> > > >   WARNING: Python will add the current directory to import path.
> > > >   WARNING: Fix your PYTHONPATH to avoid potential erroneous import.
> > > 
> > > Not excited about this. It's not really our job to make sure people
> > > don't do stupid things with their Python setup.
> > 
> > I agree, But people usually blame Mercurial when crash occurs.
> > 
> > > Now that we add our own library path to the installed executable, we
> > > should probably instead be deleting any reference to PYTHONPATH from our
> > > docs so people aren't tempted to mess with it.
> > 
> > The Mercurial lib is ok. But Mercurial and other extension use standard module
> > that may conflict with content of the current directory.
> > 
> > eg: We have a cubes.emails package in one of our project and using mercurial
> > from the cubes/ direction is impossible.
> 
> Perhaps we should just silently drop '.' from the path instead of
> warning?

We have no way to do this safely.

* sys.path item are /absolute/path
* item are only added once in sys.path

So, there is no "." in sys.path. And if $PWD are present in sys.path we have no
way to know if it was added because of resolving '.'/'' or because it is
perfectly legit for it to be there.

-- 
Pierre-Yves David

More information about the Mercurial-devel mailing list