Creating a new virtual environment with the `venv` module reads any local `setup.cfg` file that may be found; if such a file has garbage, the `venv` fails with a mysterious message.
Reproduce:
```
$ date -u
Tue Sep 7 18:12:27 UTC 2021
$ mkdir /tmp/demo
$ cd /tmp/demo
$ echo 'a < b' >setup.cfg
$ python3 -V
Python 3.9.5
$ python3 -m venv venv
Error: Command '['/tmp/demo/venv/bin/python3.9', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.
```
(Took me a little while to figure out I had some garbage in a `setup.cfg` file in $CWD that was causing it.)
Implications:
Potential implications are that a specially crafted `setup.cfg` might cause a security-compromised virtual environment to be created maybe? I don't know.
|