Message 282632 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	izbyshev
Recipients	izbyshev, paul.moore, steve.dower, tim.golden, zach.ware
Date	2016-12-07.16:38:27
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1481128708.35.0.521458556277.issue28896@psf.upfronthosting.co.za>
In-reply-to

Content
The docs claim: "... the embedded distribution is (almost) fully isolated from the user’s system, including environment variables, system registry settings, and installed packages." Via ProcessMonitor tool I've discovered that python.exe still accesses keys like "HKLM\Software\Python\PythonCore\3.5\Modules\collections" on every module import, allowing registry settings to override the location of any non-builtin module. Digging into the 3.5.2 code revealed that WindowsRegistryFinder is unconditionally added to sys.meta_path (Lib/importlib/_bootstrap_external.py, line 1422): if _os.__name__ == 'nt': sys.meta_path.append(WindowsRegistryFinder) It can also be confirmed in runtime: Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 25 2016, 22:18:55) [MSC v.1900 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import sys >>> print(sys.meta_path) [<class '_frozen_importlib.BuiltinImporter'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external.PathFinder'>] Is this behavior intended? It seems to be against doc claims and the goal of embeddability.

The docs claim: "... the embedded distribution is (almost) fully isolated from the user’s system, including environment variables, system registry settings, and installed packages."

Via ProcessMonitor tool I've discovered that python.exe still accesses keys like "HKLM\Software\Python\PythonCore\3.5\Modules\collections" on every module import, allowing registry settings to override the location of any non-builtin module.

Digging into the 3.5.2 code revealed that WindowsRegistryFinder is unconditionally added to sys.meta_path (Lib/importlib/_bootstrap_external.py, line 1422):

    if _os.__name__ == 'nt':
        sys.meta_path.append(WindowsRegistryFinder)

It can also be confirmed in runtime:

Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 25 2016, 22:18:55) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> print(sys.meta_path)
[<class '_frozen_importlib.BuiltinImporter'>, <class '_frozen_importlib.FrozenImporter'>, <class '_frozen_importlib_external.WindowsRegistryFinder'>, <class '_frozen_importlib_external.PathFinder'>]

Is this behavior intended? It seems to be against doc claims and the goal of embeddability.

History
Date	User	Action	Args
2016-12-07 16:38:28	izbyshev	set	recipients: + izbyshev, paul.moore, tim.golden, zach.ware, steve.dower
2016-12-07 16:38:28	izbyshev	set	messageid: <1481128708.35.0.521458556277.issue28896@psf.upfronthosting.co.za>
2016-12-07 16:38:28	izbyshev	link	issue28896 messages
2016-12-07 16:38:27	izbyshev	create