Message 378108 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	The Compiler, pablogsal, serhiy.storchaka, vstinner, zach.ware
Date	2020-10-06.10:28:19
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1601980100.06.0.400513384878.issue41944@roundup.psfhosted.org>
In-reply-to

Content
I'm not saying that this issue is not a vulnerability, just that the scope is limited. By default, downloaded from the Internet are disabled. You have to opt-in for that using -u network (or -u all which enables the network resource) command line option of "./python -m test". Impacted: * "make testall", "make testuniversal" and "make buildbottest" commands are impacted (pass -u all to the test suite). * Python buildbot workers are impacted: they run the "make buildbottest" command. * Travis CI is impacted: it runs "./python -m test -uall,-cpu (...)". * Multiple GitHub Action jobs are impacted (coverage, Windows, macOS, Ubuntu): run "-uall,-cpu". * Azure Pipelines jobs are impacted: use -uall,-cpu. > https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168 Fedora packages are not impacted: no -u option is passed to the test suite. > Anyone building with --enable-optimizations (PGO) will likely do so as well, though I'm not sure if that runs this part of the testsuite. PGO build is not impacted, it uses "./python -m test --pgo" (download is disabled). Moreover, multibyte codec checks are not run by this command (see Lib/test/libregrtest/pgo.py, only test_codecs of codec tests is run).

I'm not saying that this issue is not a vulnerability, just that the scope is limited.

By default, downloaded from the Internet are disabled. You have to opt-in for that using -u network (or -u all which enables the network resource) command line option of "./python -m test".

Impacted:

* "make testall", "make testuniversal" and "make buildbottest" commands are impacted (pass -u all to the test suite).

* Python buildbot workers are impacted: they run the "make buildbottest" command.

* Travis CI is impacted: it runs "./python -m test -uall,-cpu (...)".

* Multiple GitHub Action jobs are impacted (coverage, Windows, macOS, Ubuntu): run "-uall,-cpu".

* Azure Pipelines jobs are impacted: use -uall,-cpu.


> https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168

Fedora packages are not impacted: no -u option is passed to the test suite.


> Anyone building with --enable-optimizations (PGO) will likely do so as well, though I'm not sure if that runs this part of the testsuite.

PGO build is not impacted, it uses "./python -m test --pgo" (download is disabled). Moreover, multibyte codec checks are not run by this command (see Lib/test/libregrtest/pgo.py, only test_codecs of codec tests is run).

History
Date	User	Action	Args
2020-10-06 10:28:20	vstinner	set	recipients: + vstinner, zach.ware, serhiy.storchaka, The Compiler, pablogsal
2020-10-06 10:28:20	vstinner	set	messageid: <1601980100.06.0.400513384878.issue41944@roundup.psfhosted.org>
2020-10-06 10:28:20	vstinner	link	issue41944 messages
2020-10-06 10:28:19	vstinner	create