Nick Coghlan <ncogh...@gmail.com> added the comment: PR submitted for 3.5. Since the problem was in a full release this time (rather than a pre-release the way it was for 3.6), I've reclassified it as a security bug, since it means some previously safe operations (where no user-writable directory would end up on sys.path even without the "-I" switch) are technically unsafe.
There's a fair combination of factors required for it to actually cause a problem though: - it only comes up if you're *not* using isolated mode (so the "workaround" is "Use isolated mode when running privileged processes", which is something we recommend doing anyway) - it only comes up for directory or zipfile execution, *not* normal script execution - you have to be executing an admin-controlled directory or zipfile, rather than one the user has write access to (otherwise there's no new opportunity for code injection introduced) - for actual privilege escalation to take place as a result of the code injection, you have to be running the command with elevated privileges That said, I suspect exactly the above may happen when using PEX files (https://github.com/pantsbuild/pex), since I can't find any reference in their code to forcing the use of isolated mode in the underlying interpreter. ---------- keywords: -patch nosy: +christian.heimes, encukou stage: patch review -> _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32551> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
