This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously
Type: behavior Stage:
Components: Versions: Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: dstufft, ncoghlan, nutjob4life, pradyunsg
Priority: normal Keywords:

Created on 2021-09-07 18:15 by nutjob4life, last changed 2022-04-11 14:59 by admin.

Messages (1)
msg401320 - (view) Author: Sean Kelly (nutjob4life) Date: 2021-09-07 18:15 
Creating a new virtual environment with the `venv` module reads any local `setup.cfg` file that may be found; if such a file has garbage, the `venv` fails with a mysterious message. 

Reproduce:

```
$ date -u
Tue Sep  7 18:12:27 UTC 2021
$ mkdir /tmp/demo
$ cd /tmp/demo
$ echo 'a < b' >setup.cfg
$ python3 -V
Python 3.9.5
$ python3 -m venv venv
Error: Command '['/tmp/demo/venv/bin/python3.9', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.
```

(Took me a little while to figure out I had some garbage in a `setup.cfg` file in $CWD that was causing it.)

Implications:

Potential implications are that a specially crafted `setup.cfg` might cause a security-compromised virtual environment to be created maybe? I don't know.
History
Date User Action Args
2022-04-11 14:59:49adminsetgithub: 89294
2021-10-15 21:35:17FFY00setnosy: + ncoghlan, dstufft, pradyunsg
2021-09-07 18:15:21nutjob4lifecreate