commit 394b991e41a2a4ce3afc8e6fde44de46e73bbb34
author Victor Stinner <vstinner@redhat.com> Wed Apr 17 18:38:06 2019 +0200
committer GitHub <noreply@github.com> Wed Apr 17 18:38:06 2019 +0200
tree cd1920fd99e3841168634d7609e45d2933f604a4
parent b87a8073db73f9ffa96104e00c624052e34b11c7

[3.7] bpo-35755: shutil.which() uses os.confstr("CS_PATH") (GH-12862)

* bpo-35755: shutil.which() uses os.confstr("CS_PATH") (GH-12858)

shutil.which() and distutils.spawn.find_executable() now use
os.confstr("CS_PATH") if available instead of os.defpath, if the PATH
environment variable is not set.

Don't use os.confstr("CS_PATH") nor os.defpath if the PATH
environment variable is set to an empty string.

Changes:

* find_executable() now starts by checking for the executable in the
  current working directly case. Add an explicit
  "if not path: return None".
* Add tests for PATH='' (empty string), PATH=':' and for PATHEXT.

(cherry picked from commit 228a3c99bdb2d02771bead66a0beabafad3a90d3)

* bpo-35755: Remove current directory from posixpath.defpath (GH-11586)

Document the change in a NEWS entry of the Security category.

(cherry picked from commit 2c4c02f8a876fcf084575dcaf857a0236c81261a)

Lib/shutil.py

diff --git a/Lib/shutil.py b/Lib/shutil.py
index f32c66b..b0a53db 100644
--- a/Lib/shutil.py
+++ b/Lib/shutil.py
@@ -1138,7 +1138,17 @@
         return None
 
     if path is None:
-        path = os.environ.get("PATH", os.defpath)
+        path = os.environ.get("PATH", None)
+        if path is None:
+            try:
+                path = os.confstr("CS_PATH")
+            except (AttributeError, ValueError):
+                # os.confstr() or CS_PATH is not available
+                path = os.defpath
+        # bpo-35755: Don't use os.defpath if the PATH environment variable is
+        # set to an empty string
+
+    # PATH='' doesn't match, whereas PATH=':' looks in the current directory
     if not path:
         return None
     path = path.split(os.pathsep)