Message 414701 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	eric.snow, ned.deily, pablogsal, ronaldoussoren, steve.dower, vinay.sajip
Date	2022-03-07.22:01:28
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<7527fc63-1c40-b043-025c-420bfd846fd4@python.org>
In-reply-to	<1646689197.55.0.8791430941.issue46890@roundup.psfhosted.org>

Content
> This could be problematic, adding a suitably named file outside of $PREFIX breaks the python installation. Might be worth changing it then. I double/triple checked whether searching up for the zip file was the old behaviour, and it sure seemed to be (it wasn't on Windows). Will only be a little tweak to change, since both codepaths are already there. My assumption was that any higher-level directories in that tree would be at least as restricted as where Python is installed, so anyone who could hijack it there could also have modified it closer to the actual file.

> This could be problematic, adding a suitably named file outside of $PREFIX breaks the python installation.

Might be worth changing it then. I double/triple checked whether 
searching up for the zip file was the old behaviour, and it sure seemed 
to be (it wasn't on Windows). Will only be a little tweak to change, 
since both codepaths are already there.

My assumption was that any higher-level directories in that tree would 
be at least as restricted as where Python is installed, so anyone who 
could hijack it there could also have modified it closer to the actual file.

History
Date	User	Action	Args
2022-03-07 22:01:28	steve.dower	set	recipients: + steve.dower, vinay.sajip, ronaldoussoren, ned.deily, eric.snow, pablogsal
2022-03-07 22:01:28	steve.dower	link	issue46890 messages
2022-03-07 22:01:28	steve.dower	create