Message245965
On 29.06.2015 21:30, Min RK wrote:
>
> .pth files currently allow execution of arbitrary code, triggered by lines starting with `import`. This is a rarely understood, and often misbehaving feature. easy_install has used this feature to ensure that its packages are highest priority (even higher than stdlib). This is one of the unfortunate behaviors that pip undoes from easy_install, in part due to the problems it can cause. There is currently a proposal in setuptools to stop using this, even for easy_install.
>
> The attached patch removes support for executing code in .pth files, throwing an ImportWarning if any such attempts at import are seen.
Such a change will require a PEP, since it's an essential feature
that has been documented for a very long time:
https://docs.python.org/3.5/library/site.html
and is used by a lot of existing setuptools installations, which
would break if Python were to remove support for this.
The PEP would also need to address the reasons for removing the
feature, e.g. explain possible attack vectors, confusion caused
by this, etc.
You can then reference this patch in the PEP.
Thanks,
--
Marc-Andre Lemburg
eGenix.com |
|
Date |
User |
Action |
Args |
2015-06-29 20:27:16 | lemburg | set | recipients:
+ lemburg, brett.cannon, ncoghlan, r.david.murray, eric.snow, minrk, tdsmith |
2015-06-29 20:27:16 | lemburg | link | issue24534 messages |
2015-06-29 20:27:16 | lemburg | create | |
|