From 2c4c02f8a876fcf084575dcaf857a0236c81261a Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@redhat.com>
Date: Wed, 17 Apr 2019 17:05:30 +0200
Subject: bpo-35755: Remove current directory from posixpath.defpath (GH-11586)

Document the change in a NEWS entry of the Security category.
---
 Lib/posixpath.py                                                   | 2 +-
 Misc/NEWS.d/next/Security/2019-01-17-10-03-48.bpo-35755.GmllIs.rst | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Security/2019-01-17-10-03-48.bpo-35755.GmllIs.rst

diff --git a/Lib/posixpath.py b/Lib/posixpath.py
index 21ce72f..ecb4e5a 100644
--- a/Lib/posixpath.py
+++ b/Lib/posixpath.py
@@ -18,7 +18,7 @@ pardir = '..'
 extsep = '.'
 sep = '/'
 pathsep = ':'
-defpath = ':/bin:/usr/bin'
+defpath = '/bin:/usr/bin'
 altsep = None
 devnull = '/dev/null'
 
diff --git a/Misc/NEWS.d/next/Security/2019-01-17-10-03-48.bpo-35755.GmllIs.rst b/Misc/NEWS.d/next/Security/2019-01-17-10-03-48.bpo-35755.GmllIs.rst
new file mode 100644
index 0000000..959aafd
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-01-17-10-03-48.bpo-35755.GmllIs.rst
@@ -0,0 +1,5 @@
+:func:`shutil.which` now uses ``os.confstr("CS_PATH")`` if available and if the
+:envvar:`PATH` environment variable is not set. Remove also the current
+directory from :data:`posixpath.defpath`. On Unix, :func:`shutil.which` and the
+:mod:`subprocess` module no longer search the executable in the current
+directory if the :envvar:`PATH` environment variable is not set.
-- 
cgit v0.12