Author steve.dower
Recipients brett.cannon, eric.snow, izbyshev, ncoghlan, ned.deily, paul.moore, steve.dower, tim.golden, zach.ware
Date 2016-12-07.19:16:38
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1481138198.17.0.971177600516.issue28896@psf.upfronthosting.co.za>
In-reply-to
Content
+Ned

Could we get a doc patch into 3.6 marking this class as deprecated? It appears like the importlib docs are the only ones that refer to the class, and none of the docs describe the functionality or indicate that it is enabled by default.

I could also pitch this as a security vulnerability and push for removing the default .append() right now? Since we wouldn't remove the class itself, restoring the previous behavior just requires inserting it into meta_path again. And Alexey is right that it actually allows a non-admin user to shadow any non-builtin module.

Looking at the latest pywin32 installer, they actually *remove* the keys they used to add here because they cause problems. So I think we're fairly safe to disable the finder by default and deprecate it into the future.
History
Date User Action Args
2016-12-07 19:16:38steve.dowersetrecipients: + steve.dower, brett.cannon, paul.moore, ncoghlan, tim.golden, ned.deily, eric.snow, zach.ware, izbyshev
2016-12-07 19:16:38steve.dowersetmessageid: <1481138198.17.0.971177600516.issue28896@psf.upfronthosting.co.za>
2016-12-07 19:16:38steve.dowerlinkissue28896 messages
2016-12-07 19:16:38steve.dowercreate