Message 239008 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	pythonhacker, vstinner
Date	2015-03-23.10:43:45
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1427107426.02.0.315685054827.issue23748@psf.upfronthosting.co.za>
In-reply-to

Content
we are all consenting adults here. Why do you modify a private attribute? > I am changing the type to security as I dont think this is a behaviour issue. I don't understand why do you consider that it is a security vulnerability? >>> import hack_uname # Someone imports my module unaware of the hack (see attached file) Your exploit starts by running untrusted Python code. Never do that. The vulnerability is the ability to load unstrusted Python code, not to modify the platform module. I close the issue as not a bug.

we are all consenting adults here. Why do you modify a private attribute?

> I am changing the type to security as I dont think this is a behaviour issue.

I don't understand why do you consider that it is a security vulnerability?

>>> import hack_uname
# Someone imports my module unaware of the hack (see attached file)

Your exploit starts by running untrusted Python code. Never do that. The vulnerability is the ability to load unstrusted Python code, not to modify the platform module.

I close the issue as not a bug.

History
Date	User	Action	Args
2015-03-23 10:43:46	vstinner	set	recipients: + vstinner, pythonhacker
2015-03-23 10:43:46	vstinner	set	messageid: <1427107426.02.0.315685054827.issue23748@psf.upfronthosting.co.za>
2015-03-23 10:43:45	vstinner	link	issue23748 messages
2015-03-23 10:43:45	vstinner	create