Message 374024 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	larry
Recipients	Tibor Csonka, anthonywee, eryksun, larry, lukasz.langa, miss-islington, ned.deily, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Date	2020-07-20.20:18:21
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1595276302.55.0.713676350952.issue29778@roundup.psfhosted.org>
In-reply-to

Content
I still don't understand why this is considered a Python security problem. If the user can put a malicious "python3.dll" at some arbitrary spot in the filesystem (e.g. a USB flash drive), and fool Python.exe into loading it, then surely they could put an arbitrary executable at that same spot and launch it directly. And that seems way more straightforward. Why would anyone bother with this?

I still don't understand why this is considered a Python security problem.  If the user can put a malicious "python3.dll" at some arbitrary spot in the filesystem (e.g. a USB flash drive), and fool Python.exe into loading it, then surely they could put an arbitrary executable at that same spot and launch it directly.  And that seems way more straightforward.  Why would anyone bother with this?

History
Date	User	Action	Args
2020-07-20 20:18:22	larry	set	recipients: + larry, paul.moore, vstinner, tim.golden, ned.deily, lukasz.langa, zach.ware, eryksun, steve.dower, Tibor Csonka, miss-islington, anthonywee
2020-07-20 20:18:22	larry	set	messageid: <1595276302.55.0.713676350952.issue29778@roundup.psfhosted.org>
2020-07-20 20:18:22	larry	link	issue29778 messages
2020-07-20 20:18:21	larry	create