New submission from Min RK: .pth files currently allow execution of arbitrary code, triggered by lines starting with `import`. This is a rarely understood, and often misbehaving feature. easy_install has used this feature to ensure that its packages are highest priority (even higher than stdlib). This is one of the unfortunate behaviors that pip undoes from easy_install, in part due to the problems it can cause. There is currently a proposal in setuptools to stop using this, even for easy_install.
The attached patch removes support for executing code in .pth files, throwing an ImportWarning if any such attempts at import are seen. General question that might result in rejecting this patch: Are there any good/valid use cases for .pth files being able to execute arbitrary code at interpreter start time? If this is accepted, some implementation questions: 1. if the feature is removed in 3.6, should a DeprecationWarning be added to 3.5? 2. Is ImportWarning the right warning class (or should there even be a warning)? ---------- components: Installation files: 0001-disable-executing-code-in-.pth-files.patch keywords: patch messages: 245959 nosy: minrk priority: normal severity: normal status: open title: disable executing code in .pth files versions: Python 3.6 Added file: http://bugs.python.org/file39836/0001-disable-executing-code-in-.pth-files.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24534> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
