Message378108
I'm not saying that this issue is not a vulnerability, just that the scope is limited.
By default, downloaded from the Internet are disabled. You have to opt-in for that using -u network (or -u all which enables the network resource) command line option of "./python -m test".
Impacted:
* "make testall", "make testuniversal" and "make buildbottest" commands are impacted (pass -u all to the test suite).
* Python buildbot workers are impacted: they run the "make buildbottest" command.
* Travis CI is impacted: it runs "./python -m test -uall,-cpu (...)".
* Multiple GitHub Action jobs are impacted (coverage, Windows, macOS, Ubuntu): run "-uall,-cpu".
* Azure Pipelines jobs are impacted: use -uall,-cpu.
> https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168
Fedora packages are not impacted: no -u option is passed to the test suite.
> Anyone building with --enable-optimizations (PGO) will likely do so as well, though I'm not sure if that runs this part of the testsuite.
PGO build is not impacted, it uses "./python -m test --pgo" (download is disabled). Moreover, multibyte codec checks are not run by this command (see Lib/test/libregrtest/pgo.py, only test_codecs of codec tests is run). |
|
Date |
User |
Action |
Args |
2020-10-06 10:28:20 | vstinner | set | recipients:
+ vstinner, zach.ware, serhiy.storchaka, The Compiler, pablogsal |
2020-10-06 10:28:20 | vstinner | set | messageid: <1601980100.06.0.400513384878.issue41944@roundup.psfhosted.org> |
2020-10-06 10:28:20 | vstinner | link | issue41944 messages |
2020-10-06 10:28:19 | vstinner | create | |
|