On 10.05.2015 05:04, Robert Collins wrote: > On 10 May 2015 at 11:44, Chris Angelico <ros...@gmail.com> wrote: >> On Sun, May 10, 2015 at 4:13 AM, M.-A. Lemburg <m...@egenix.com> wrote: >>> By providing a way to intentionally switch off the new default, >>> we do make people aware of the risks and that's good enough, >>> while still maintaining the contract people rightly expect of >>> patch level releases of Python. >> >> Just as long as it's the sysadmin, and NOT some random attacker over >> the internet, who has the power to downgrade security. Environment >> variables can be attacked in various ways. > > They can, and the bash fun was very good evidence of that. > > OTOH if someones environment is at risk, PATH and PYTHONPATH are > already very effective attack vectors.
If an attacker has access to the process environment, you're doomed anyway, so that's not really an argument for or against using environment variables :-) You'd just need to create a file os.py and point PYTHONPATH at it. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 11 2015) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> mxODBC Plone/Zope Database Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
