Message 356899 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	Jason.Killen, christian.heimes, plokmijnuhby, steve.dower, taleinat
Date	2019-11-18.19:10:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1574104240.02.0.622777294724.issue38722@roundup.psfhosted.org>
In-reply-to

Content
It's a security issue because Python 3.8 says it will open files to be executed with io.open_code() instead of open(). This allows a way to bypass that. That said, this appears to be a fallback case, so I'm not hugely concerned. I haven't quite figured out why it would fall back here (that involved reading the pkgutil sources ;) ). I would vote for backporting to 3.8.1, but if Tal wants to push back and nobody else has an opinion then whatever.

It's a security issue because Python 3.8 says it will open files to be executed with io.open_code() instead of open(). This allows a way to bypass that.

That said, this appears to be a fallback case, so I'm not hugely concerned. I haven't quite figured out why it would fall back here (that involved reading the pkgutil sources ;) ).

I would vote for backporting to 3.8.1, but if Tal wants to push back and nobody else has an opinion then whatever.

History
Date	User	Action	Args
2019-11-18 19:10:40	steve.dower	set	recipients: + steve.dower, taleinat, christian.heimes, Jason.Killen, plokmijnuhby
2019-11-18 19:10:40	steve.dower	set	messageid: <1574104240.02.0.622777294724.issue38722@roundup.psfhosted.org>
2019-11-18 19:10:40	steve.dower	link	issue38722 messages
2019-11-18 19:10:39	steve.dower	create