Message 269592 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	paul.moore
Recipients	Alexander Riccio, brett.cannon, paul.moore, steve.dower, tim.golden, zach.ware
Date	2016-06-30.16:20:42
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1467303643.06.0.12168461001.issue26137@psf.upfronthosting.co.za>
In-reply-to

Content
>> I am puzzled as to why "use safe_exec rather than exec" isn't an option > Because you're going to have a hard time convincing malware authors to use it. :-) So the malicious payload is the whole python command, not just file.bin. OK, fair enough. But in that case, why hook into exec? The malware author can execute arbitrary Python so doesn't need exec. As I say, though, I'm not an expert in security threats, so I'm OK with accepting that there's a hole here and the proposal plugs it.

>> I am puzzled as to why "use safe_exec rather than exec" isn't an option

> Because you're going to have a hard time convincing malware authors to use it.

:-) So the malicious payload is the whole python command, not just file.bin. OK, fair enough. But in that case, why hook into exec? The malware author can execute arbitrary Python so doesn't *need* exec.

As I say, though, I'm not an expert in security threats, so I'm OK with accepting that there's a hole here and the proposal plugs it.

History
Date	User	Action	Args
2016-06-30 16:20:43	paul.moore	set	recipients: + paul.moore, brett.cannon, tim.golden, zach.ware, steve.dower, Alexander Riccio
2016-06-30 16:20:43	paul.moore	set	messageid: <1467303643.06.0.12168461001.issue26137@psf.upfronthosting.co.za>
2016-06-30 16:20:43	paul.moore	link	issue26137 messages
2016-06-30 16:20:42	paul.moore	create