Message 336351 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	Anthony Sottile, Chris Billington, Ivan.Pozdeev, SilentGhost, __Vano, barry, brett.cannon, cheryl.sabella, christian.heimes, eric.smith, eric.snow, ethan smith, ionelmc, jaraco, mhammond, ncoghlan, pitrou, steve.dower, takluyver, terry.reedy, veky
Date	2019-02-23.00:51:23
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1550883083.37.0.0797427036048.issue33944@roundup.psfhosted.org>
In-reply-to

Content
I took a look at the docs PR, and honestly I don't even get what the "intended" uses of executable code are supposed to be. The examples are "load 3rd-party import hooks, adjust PATH variable", but the only cases I can think of where you'd need to do these in a .pth file is where your module is a single file. As soon as you have a package with __init__.py, you have a file that can do exactly the same modifications before the module that needs it is imported. I'd be inclined to limit the doc change to not provide any "valid" uses for this, and just discourage doing anything that takes a long time (most of the text in the PR is fine, IMHO). And yeah, I'd like to see the arbitrary code execution "feature" removed too. As for .pth files in general, I'm interested in the scenarios that caused Barry to have to do difficult debugging where "python -m site" wasn't able to help. If they all involved arbitrary code execution, then let's take out the right tumor. But if they somehow manipulated sys.path in a way that looking at sys.path doesn't reveal, then I'd like to know how.

I took a look at the docs PR, and honestly I don't even get what the "intended" uses of executable code are supposed to be.

The examples are "load 3rd-party import hooks, adjust PATH variable", but the only cases I can think of where you'd need to do these in a .pth file is where your module is a single file. As soon as you have a package with __init__.py, you have a file that can do exactly the same modifications before the module that needs it is imported.

I'd be inclined to limit the doc change to not provide any "valid" uses for this, and just discourage doing anything that takes a long time (most of the text in the PR is fine, IMHO).

And yeah, I'd like to see the arbitrary code execution "feature" removed too.

As for .pth files in general, I'm interested in the scenarios that caused Barry to have to do difficult debugging where "python -m site" wasn't able to help. If they all involved arbitrary code execution, then let's take out the right tumor. But if they somehow manipulated sys.path in a way that looking at sys.path doesn't reveal, then I'd like to know how.

History
Date	User	Action	Args
2019-02-23 00:51:23	steve.dower	set	recipients: + steve.dower, mhammond, barry, brett.cannon, terry.reedy, jaraco, ncoghlan, pitrou, eric.smith, christian.heimes, ionelmc, SilentGhost, __Vano, eric.snow, takluyver, veky, Ivan.Pozdeev, Anthony Sottile, ethan smith, cheryl.sabella, Chris Billington
2019-02-23 00:51:23	steve.dower	set	messageid: <1550883083.37.0.0797427036048.issue33944@roundup.psfhosted.org>
2019-02-23 00:51:23	steve.dower	link	issue33944 messages
2019-02-23 00:51:23	steve.dower	create