Message 388462 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	frankli
Recipients	christian.heimes, docs@python, frankli, steve.dower, vstinner, zkonge
Date	2021-03-10.21:59:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1615413541.96.0.606167746393.issue43438@roundup.psfhosted.org>
In-reply-to

Content
PEP 551 is confusing. It looked suggesting that it's a "security tool" that "detects, identifies and analyzes misuse of Python" to me (and apparently many others). examples shown in the PEP includes WannaCrypt, APTs, all of which involves the good old remote code execution, which is basically a sandboxed environment it self, at least in some way. also, the challenges provided the contestants with a "background story" that enables an attacker to execute arbitrary code doesn't mean that one HAVE to gain code execution to achieve the goal of bypassing the aevents. in this case, one only have to find the list object which contains the audit hooks registered, and clear it(or replace it). this clearly breaks the promise made in PEP 578 (Hooks cannot be removed or replaced). THIS SHOULD BE FIXED. ALSO(again), the software is not always doing what it's designed to do. maybe, I mean maybe, developers should make changes according to what users are doing. I don't know, really.

PEP 551 is confusing. It looked suggesting that it's a "security tool" that "detects, identifies and analyzes misuse of Python" to me (and apparently many others).

examples shown in the PEP includes WannaCrypt, APTs, all of which involves the good old remote code execution, which is basically a sandboxed environment it self, at least in some way.

also, the challenges provided the contestants with a "background story" that enables an attacker to execute arbitrary code doesn't mean that one HAVE to gain code execution to achieve the goal of bypassing the aevents. in this case, one only have to find the list object which contains the audit hooks registered, and clear it(or replace it). this clearly breaks the promise made in PEP 578 (Hooks cannot be removed or replaced). THIS SHOULD BE FIXED.

ALSO(again), the software is not always doing what it's designed to do. maybe, I mean maybe, developers should make changes according to what users are doing. I don't know, really.

History
Date	User	Action	Args
2021-03-10 21:59:02	frankli	set	recipients: + frankli, vstinner, christian.heimes, docs@python, steve.dower, zkonge
2021-03-10 21:59:01	frankli	set	messageid: <1615413541.96.0.606167746393.issue43438@roundup.psfhosted.org>
2021-03-10 21:59:01	frankli	link	issue43438 messages
2021-03-10 21:59:01	frankli	create