Message 245965 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	brett.cannon, eric.snow, lemburg, minrk, ncoghlan, r.david.murray, tdsmith
Date	2015-06-29.20:27:16
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<5591AA21.9070001@egenix.com>
In-reply-to	<1435606239.13.0.0171304559547.issue24534@psf.upfronthosting.co.za>

Content
On 29.06.2015 21:30, Min RK wrote: > > .pth files currently allow execution of arbitrary code, triggered by lines starting with `import`. This is a rarely understood, and often misbehaving feature. easy_install has used this feature to ensure that its packages are highest priority (even higher than stdlib). This is one of the unfortunate behaviors that pip undoes from easy_install, in part due to the problems it can cause. There is currently a proposal in setuptools to stop using this, even for easy_install. > > The attached patch removes support for executing code in .pth files, throwing an ImportWarning if any such attempts at import are seen. Such a change will require a PEP, since it's an essential feature that has been documented for a very long time: https://docs.python.org/3.5/library/site.html and is used by a lot of existing setuptools installations, which would break if Python were to remove support for this. The PEP would also need to address the reasons for removing the feature, e.g. explain possible attack vectors, confusion caused by this, etc. You can then reference this patch in the PEP. Thanks, -- Marc-Andre Lemburg eGenix.com

On 29.06.2015 21:30, Min RK wrote:
> 
> .pth files currently allow execution of arbitrary code, triggered by lines starting with `import`. This is a rarely understood, and often misbehaving feature. easy_install has used this feature to ensure that its packages are highest priority (even higher than stdlib). This is one of the unfortunate behaviors that pip undoes from easy_install, in part due to the problems it can cause. There is currently a proposal in setuptools to stop using this, even for easy_install.
> 
> The attached patch removes support for executing code in .pth files, throwing an ImportWarning if any such attempts at import are seen.

Such a change will require a PEP, since it's an essential feature
that has been documented for a very long time:

https://docs.python.org/3.5/library/site.html

and is used by a lot of existing setuptools installations, which
would break if Python were to remove support for this.

The PEP would also need to address the reasons for removing the
feature, e.g. explain possible attack vectors, confusion caused
by this, etc.

You can then reference this patch in the PEP.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

History
Date	User	Action	Args
2015-06-29 20:27:16	lemburg	set	recipients: + lemburg, brett.cannon, ncoghlan, r.david.murray, eric.snow, minrk, tdsmith
2015-06-29 20:27:16	lemburg	link	issue24534 messages
2015-06-29 20:27:16	lemburg	create