New submission from Sean Kelly <ke...@seankelly.biz>: Creating a new virtual environment with the `venv` module reads any local `setup.cfg` file that may be found; if such a file has garbage, the `venv` fails with a mysterious message.
Reproduce: ``` $ date -u Tue Sep 7 18:12:27 UTC 2021 $ mkdir /tmp/demo $ cd /tmp/demo $ echo 'a < b' >setup.cfg $ python3 -V Python 3.9.5 $ python3 -m venv venv Error: Command '['/tmp/demo/venv/bin/python3.9', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1. ``` (Took me a little while to figure out I had some garbage in a `setup.cfg` file in $CWD that was causing it.) Implications: Potential implications are that a specially crafted `setup.cfg` might cause a security-compromised virtual environment to be created maybe? I don't know. ---------- messages: 401320 nosy: nutjob4life priority: normal severity: normal status: open title: `venv` → `ensurepip` may read local `setup.cfg` and fail mysteriously type: behavior versions: Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue45131> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
