New submission from Alexey Izbyshev:
The docs claim: "... the embedded distribution is (almost) fully isolated from
the user’s system, including environment variables, system registry settings,
and installed packages."
Via ProcessMonitor tool I've discovered that python.exe still accesses keys
like "HKLM\Software\Python\PythonCore\3.5\Modules\collections" on every module
import, allowing registry settings to override the location of any non-builtin
module.
Digging into the 3.5.2 code revealed that WindowsRegistryFinder is
unconditionally added to sys.meta_path (Lib/importlib/_bootstrap_external.py,
line 1422):
if _os.__name__ == 'nt':
sys.meta_path.append(WindowsRegistryFinder)
It can also be confirmed in runtime:
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 25 2016, 22:18:55) [MSC v.1900 64 bit
(AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> print(sys.meta_path)
[<class '_frozen_importlib.BuiltinImporter'>, <class
'_frozen_importlib.FrozenImporter'>, <class
'_frozen_importlib_external.WindowsRegistryFinder'>, <class
'_frozen_importlib_external.PathFinder'>]
Is this behavior intended? It seems to be against doc claims and the goal of
embeddability.
----------
components: Windows
messages: 282632
nosy: izbyshev, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: Embeddable zip allows Windows registry to override module location
type: behavior
versions: Python 3.5
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue28896>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
