[issue28896] Embeddable zip allows Windows registry to override module location

2017-03-31 Thread Donald Stufft
Changes by Donald Stufft : -- pull_requests: +1033 ___ Python tracker ___ ___

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-15 Thread Ned Deily
Ned Deily added the comment: [cherrypicked for 3.6.0rc2] -- priority: release blocker -> ___ Python tracker ___

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-15 Thread Roundup Robot
Roundup Robot added the comment: New changeset 6249350e654a by Steve Dower in branch '3.6': Issue #28896: Deprecate WindowsRegistryFinder https://hg.python.org/cpython/rev/6249350e654a -- ___ Python tracker

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-12 Thread Steve Dower
Steve Dower added the comment: And that commit removes WindowsRegistryFinder from sys.meta_path on startup (as well as fixing regeneration of importlib when building on Windows). It should *not* be cherry picked for 3.6.0. -- resolution: -> fixed stage: commit review -> resolved

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-12 Thread Roundup Robot
Roundup Robot added the comment: New changeset 5bd248c2cc75 by Steve Dower in branch '3.6': Issue #28896: Disable WindowsRegistryFinder by default. https://hg.python.org/cpython/rev/5bd248c2cc75 New changeset 4bd131b028ce by Steve Dower in branch 'default': Issue #28896: Disable

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-08 Thread Alexey Izbyshev
Alexey Izbyshev added the comment: Thanks to Steve and everyone for quick and decisive action! -- ___ Python tracker ___

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-08 Thread Steve Dower
Steve Dower added the comment: I assumed silence meant everyone was happy with the wording, so I extended it to whatsnew and NEWS and pushed. Ned - the changeset above should be good for you to cherrypick. I'll leave this issue open to cover actually removing the finder from sys.meta_path in

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-08 Thread Roundup Robot
Roundup Robot added the comment: New changeset 25df9671663b by Steve Dower in branch '3.6': Issue #28896: Deprecate WindowsRegistryFinder https://hg.python.org/cpython/rev/25df9671663b New changeset 5376b3a168c8 by Steve Dower in branch 'default': Issue #28896: Deprecate WindowsRegistryFinder

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Steve Dower
Changes by Steve Dower : -- keywords: +patch Added file: http://bugs.python.org/file45794/28896_doc.patch ___ Python tracker ___

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Steve Dower
Steve Dower added the comment: Here's my proposed doc change for 3.6.0. Any concerns about wording? (The change to remove the line from _bootstrap_external.py will be separate, for ease of cherry-picking.) diff --git a/Doc/library/importlib.rst b/Doc/library/importlib.rst ---

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Ned Deily
Ned Deily added the comment: I'm OK with adding a doc change before 3.6.0 final. But since this behavior is not new with 3.6, I would rather save any code changes for 3.6.1 unless there is a consensus that this is an urgent security issue. -- ___

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Steve Dower
Steve Dower added the comment: +Ned Could we get a doc patch into 3.6 marking this class as deprecated? It appears like the importlib docs are the only ones that refer to the class, and none of the docs describe the functionality or indicate that it is enabled by default. I could also pitch

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Brett Cannon
Brett Cannon added the comment: Deprecate the importer. If I remember correctly it took us a while to even notice it was missing due to missing tests prior to importlib coming into existence (and getting anyone to care enough to help write those tests also took a lot of effort). --

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Paul Moore
Paul Moore added the comment: I thought that most of the users of this functionality had stopped doing so (the only one I recall for certain was pywin32, and last time this came up, I think someone said they had stopped). If the functionality isn't used in any of the well-known modules, I'm

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Steve Dower
Steve Dower added the comment: It's not intentional, but we clearly haven't done anything to prevent it. Arguably this finder should be omitted when you run in isolated mode, and I'm on the fence about deprecating it entirely. Adding the importlib experts in case they have opinions (relevant

[issue28896] Embeddable zip allows Windows registry to override module location

2016-12-07 Thread Alexey Izbyshev
New submission from Alexey Izbyshev: The docs claim: "... the embedded distribution is (almost) fully isolated from the user’s system, including environment variables, system registry settings, and installed packages." Via ProcessMonitor tool I've discovered that python.exe still accesses