Message 378017 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	The Compiler
Recipients	The Compiler, serhiy.storchaka, vstinner
Date	2020-10-05.10:51:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1601895061.9.0.320270766693.issue41940@roundup.psfhosted.org>
In-reply-to

Content
> It is also not safe to pass data downloaded from untrusted source to eval(). To make matters worse, it's downloaded via HTTP (rather than HTTPS) - so anyone who can mess with the network of a machine running the Python testsuite can run arbitrary code on that machine. (I contacted security@python.org about this a couple of hours ago, but I guess this is effectively public now anyways :D)

> It is also not safe to pass data downloaded from untrusted source to eval().

To make matters worse, it's downloaded via HTTP (rather than HTTPS) - so anyone who can mess with the network of a machine running the Python testsuite can run arbitrary code on that machine.

(I contacted security@python.org about this a couple of hours ago, but I guess this is effectively public now anyways :D)

History
Date	User	Action	Args
2020-10-05 10:51:01	The Compiler	set	recipients: + The Compiler, vstinner, serhiy.storchaka
2020-10-05 10:51:01	The Compiler	set	messageid: <1601895061.9.0.320270766693.issue41940@roundup.psfhosted.org>
2020-10-05 10:51:01	The Compiler	link	issue41940 messages
2020-10-05 10:51:01	The Compiler	create