BestHub
Sign in
Information Security 7 min read

Why Using $PYTHONPATH Is Unsafe and How to Secure Python Execution

The article explains how using the $PYTHONPATH environment variable and running Python from the Downloads folder can expose systems to code injection attacks, demonstrates exploit examples, and provides safe practices such as using virtualenv and proper path handling to protect Python execution.

Python Programming Learning Circle
Python Programming Learning Circle
Python Programming Learning Circle
Why Using $PYTHONPATH Is Unsafe and How to Secure Python Execution

Python is widely popular because of its simple syntax and easy module import, but this convenience can become a security backdoor when beginners run scripts from unsafe locations like the ~/Downloads directory.

For a Python program to run safely, three conditions must be met: every entry on the system PATH must point to a trusted location, the directory containing the main script must be in the path, and when using the -c or -m options the invoked directory must also be safe.

Although installing pip in /usr/bin is secure, invoking it with python -m pip can be hijacked if a malicious pip.py resides in the current working directory. The article shows how creating such a file can replace the legitimate pip command.

~$ cd Downloads
~/Downloads$ python -m pip install ./totally-legit-package.whl

Another attack vector involves the $PYTHONPATH variable. A simple script tool.py tries to import an optional module; an attacker can place a malicious optional_extra.py in a directory that appears earlier in PYTHONPATH , causing the script to execute attacker‑controlled code.

# tool.py
try:
    import optional_extra
except ImportError:
    print("extra not found, that's fine")

Setting $PYTHONPATH to an empty string is not the same as unsetting it; Python treats an empty value as the current directory, which can still be exploited. The article demonstrates this with export commands that prepend a safe path but still allow a malicious module to be found.

export PYTHONPATH="/a/perfectly/safe/place:$PYTHONPATH"
python ../install_dir/tool.py   # prints "lol ur pwnt"
export PYTHONPATH=""
python ../install_dir/tool.py   # also prints "lol ur pwnt"

To avoid these pitfalls, the author recommends abandoning $PYTHONPATH in favor of virtual environments, or, if it must be used, constructing it with absolute paths and avoiding empty entries. Proper export syntax is provided to safely append new entries.

export PYTHONPATH="${PYTHONPATH:+${PYTHONPATH}:}new_entry_1"
export PYTHONPATH="${PYTHONPATH:+${PYTHONPATH}:}new_entry_2"

Additional precautions include not running Jupyter notebooks directly from the Downloads folder and always using absolute paths when manipulating $PYTHONPATH . The article concludes with a checklist of safe practices for Python development.

SecurityCode InjectionvirtualenvPYTHONPATHPath Hijacking
Python Programming Learning Circle
Written by

Python Programming Learning Circle

A global community of Chinese Python developers offering technical articles, columns, original video tutorials, and problem sets. Topics include web full‑stack development, web scraping, data analysis, natural language processing, image processing, machine learning, automated testing, DevOps automation, and big data.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment