> On Sep 1, 2014, at 11:35 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > > > On 2 Sep 2014 00:59, "Antoine Pitrou" <solip...@pitrou.net > <mailto:solip...@pitrou.net>> wrote: > > > > On Tue, 2 Sep 2014 00:53:11 +1000 > > Nick Coghlan <ncogh...@gmail.com <mailto:ncogh...@gmail.com>> wrote: > > > > > > > > To be frank I don't understand what you're arguing about. > > > > > > When I said "shadowing ssl can be tricky to arrange", Chris correctly > > > interpreted it as referring to the filesystem based privilege escalation > > > scenario that isolated mode handles, not to normal in-process > > > monkeypatching or module injection. > > > > There's no actual difference. You can have a sitecustomize.py that does > > the monkeypatching or the shadowing. There doesn't seem to be anything > > "tricky" about that. > > Oh, now I get what you mean - yes, sitecustomize already poses the same kind > of problem as the proposed sslcustomize (hence the existence of the related > command line options). > > I missed that you had switched to talking about using that attack vector, > rather than trying to shadow stdlib modules directly through the filesystem > (which is the only tricky thing I was referring to). > > Cheers, > Nick. > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
Or you can just install something with easy_install, or you can drop a .pth file and monkey patch there. You can’t stop people from overriding modules, it’s trivial to do. The sys.path ordering just makes it slightly less trivial. — Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com