This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients The Compiler, pablogsal, serhiy.storchaka, vstinner, zach.ware
Date 2020-10-06.10:28:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I'm not saying that this issue is not a vulnerability, just that the scope is limited.

By default, downloaded from the Internet are disabled. You have to opt-in for that using -u network (or -u all which enables the network resource) command line option of "./python -m test".


* "make testall", "make testuniversal" and "make buildbottest" commands are impacted (pass -u all to the test suite).

* Python buildbot workers are impacted: they run the "make buildbottest" command.

* Travis CI is impacted: it runs "./python -m test -uall,-cpu (...)".

* Multiple GitHub Action jobs are impacted (coverage, Windows, macOS, Ubuntu): run "-uall,-cpu".

* Azure Pipelines jobs are impacted: use -uall,-cpu.


Fedora packages are not impacted: no -u option is passed to the test suite.

> Anyone building with --enable-optimizations (PGO) will likely do so as well, though I'm not sure if that runs this part of the testsuite.

PGO build is not impacted, it uses "./python -m test --pgo" (download is disabled). Moreover, multibyte codec checks are not run by this command (see Lib/test/libregrtest/, only test_codecs of codec tests is run).
Date User Action Args
2020-10-06 10:28:20vstinnersetrecipients: + vstinner, zach.ware, serhiy.storchaka, The Compiler, pablogsal
2020-10-06 10:28:20vstinnersetmessageid: <>
2020-10-06 10:28:20vstinnerlinkissue41944 messages
2020-10-06 10:28:19vstinnercreate