Message 254691 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	r.david.murray
Recipients	SilentGhost, TheRegRunner, dstufft, eric.araujo, r.david.murray
Date	2015-11-15.19:36:54
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1447616215.25.0.556161643247.issue25627@psf.upfronthosting.co.za>
In-reply-to

Content
Since setup.py can run arbitrary python code, it is pointless to worry about this from a security perspective. The change is otherwise not a bad idea, though, since it avoids filename quoting problems. Is there any chance this would break existing setup.py files that do their own quoting of the filenames to get around the quoting problem? I'm guessing not since the filename gets used in multiple contexts, and the other contexts probably require an unquoted filename. Which would make this a simple bug fix against bdist_rpm. However, why not convert to using Popen?

Since setup.py can run arbitrary python code, it is pointless to worry about this from a security perspective.  The change is otherwise not a bad idea, though, since it avoids filename quoting problems.  Is there any chance this would break existing setup.py files that do their own quoting of the filenames to get around the quoting problem?  I'm guessing not since the filename gets used in multiple contexts, and the other contexts probably require an unquoted filename. Which would make this a simple bug fix against bdist_rpm.

However, why not convert to using Popen?

History
Date	User	Action	Args
2015-11-15 19:36:55	r.david.murray	set	recipients: + r.david.murray, eric.araujo, SilentGhost, dstufft, TheRegRunner
2015-11-15 19:36:55	r.david.murray	set	messageid: <1447616215.25.0.556161643247.issue25627@psf.upfronthosting.co.za>
2015-11-15 19:36:55	r.david.murray	link	issue25627 messages
2015-11-15 19:36:54	r.david.murray	create