New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runpy should use io.open_code() instead of open() #82903
Comments
Fairly obviously, if you're using something called runpy you're probably trying to run some code. To do this it has to open the script as a file. This is similar to two other issues I'm posting, but they're in different modules, so different bugs. |
I'll plan on tackling this one. I already did pdb. |
I made the change but the test suite is giving me fits and I don't know why. Running: ./python -m test 392 tests OK. 1 test failed: 26 tests skipped: Total duration: 17 min 38 sec But running: ./python -m test -v test_tools OK (skipped=2, expected failures=14) == Tests result: SUCCESS == 1 test OK. Total duration: 2.6 sec Any tips for a newbe? |
Tests working now. PR submitted. |
I don't see why this should be considered a security issue. This should likely have been done when io.open_code() was initially added, but now that 3.8 is out, I don't think backporting this would be wise. |
It's a security issue because Python 3.8 says it will open files to be executed with io.open_code() instead of open(). This allows a way to bypass that. That said, this appears to be a fallback case, so I'm not hugely concerned. I haven't quite figured out why it would fall back here (that involved reading the pkgutil sources ;) ). I would vote for backporting to 3.8.1, but if Tal wants to push back and nobody else has an opinion then whatever. |
Thanks Steve! I hadn't realized that we'd made such a declaration WRT opening of code files in general. In that case, this is certainly at least a bug fix, and should be backported. |
Thanks for reporting this, Dominic! Thanks for the PR, Jason! |
It wasn't exactly a hugely publicised declaration :) The relevant quote from PEP-578 is:
Which I admit is a big claim, and one that was not completely followed through with before 3.8.0. Calling it a "security" fix is borderline, as it isn't really a vulnerability by default, but calling it incorrect behaviour (i.e. a regular bug) is fine by me. |
Thanks for the clarification Steve! I've backported this to 3.8. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: