classification
Title: Don't import readline in isolated mode
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 3.7, Python 3.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: steve.dower Nosy List: christian.heimes, python-dev, steve.dower
Priority: normal Keywords:

Created on 2016-09-17 18:58 by steve.dower, last changed 2017-03-31 16:36 by dstufft. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 552 closed dstufft, 2017-03-31 16:36
Messages (9)
msg276816 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2016-09-17 18:58
When running in isolated mode, readline should not be automatically imported (as it could conceivably be arbitrary code).
msg276820 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2016-09-17 19:05
Should also allow users to explicitly call site.enablerlcompleter() if they really want it.
msg276826 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-09-17 19:57
New changeset b0350f351752 by Steve Dower in branch '3.6':
Issue #28192: Don't import readline in isolated mode
https://hg.python.org/cpython/rev/b0350f351752
msg276829 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-17 20:01
+1, but your patch is missing Misc/NEWS and a merge to 'default'. The code in Modules/main.c is getting harder to read, too.
msg276831 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2016-09-17 20:02
The NEWS change slipped into my following commit, and I just did the one merge.

Since you're here, any ideas on how to test this? Adding a readline.py during the test suite will affect any tests running in parallel...
msg276833 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-17 20:06
The robot didn't mention your merge because the tracker id was not in the submit messages. I just saw it on python-cvs.

How about a test in subprocess? You could drop a readline.py into Lib/tests/somedirectory and run sys.executable with cwd='Lib/tests/somedirectory').
msg276834 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2016-09-17 20:06
Also, I think PEP 432 is the way to go about simplifying Py_Main, and I'm keen to see it happen (presumably for 3.7). But the time constraints make it hard, which is why Nick hasn't gotten it done yet either.
msg276851 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-09-17 21:35
New changeset 5761294bb877 by Steve Dower in branch '3.6':
Issue #28192: Adds tests for hook in isolated mode
https://hg.python.org/cpython/rev/5761294bb877

New changeset 6c7a8a012669 by Steve Dower in branch 'default':
Issue #28192: Adds tests for hook in isolated mode
https://hg.python.org/cpython/rev/6c7a8a012669
msg276852 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2016-09-17 21:37
Turned out that we really only need to check for sys.__interactivehook__, which made it much easier to write the tests.
History
Date User Action Args
2017-03-31 16:36:38dstufftsetpull_requests: + pull_request1101
2016-09-24 19:22:02christian.heimeslinkissue12238 superseder
2016-09-17 21:37:07steve.dowersetstatus: open -> closed
resolution: fixed
messages: + msg276852

stage: needs patch -> resolved
2016-09-17 21:35:57python-devsetmessages: + msg276851
2016-09-17 20:06:09steve.dowersetmessages: + msg276834
2016-09-17 20:06:06christian.heimessetmessages: + msg276833
2016-09-17 20:02:59steve.dowersetmessages: + msg276831
2016-09-17 20:01:43christian.heimessettype: behavior -> security
components: + Interpreter Core
2016-09-17 20:01:22christian.heimessetnosy: + christian.heimes
messages: + msg276829
2016-09-17 19:57:29python-devsetnosy: + python-dev
messages: + msg276826
2016-09-17 19:05:38steve.dowersetmessages: + msg276820
2016-09-17 18:58:34steve.dowercreate